From 60c85f18720415842b14af65cf42f4197398769f Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Thu, 17 Sep 2020 17:47:56 -0700 Subject: [PATCH 01/23] Add exploit mitigations chapter to the rustc book This section documents the exploit mitigations applicable to the Rust compiler when building programs for the Linux operating system on the AMD64 architecture and equivalent. --- src/doc/rustc/src/SUMMARY.md | 1 + src/doc/rustc/src/exploit-mitigations.md | 588 +++++++++++++++++++++++ src/doc/rustc/src/images/image1.png | Bin 0 -> 15293 bytes src/doc/rustc/src/images/image2.png | Bin 0 -> 28772 bytes src/doc/rustc/src/images/image3.png | Bin 0 -> 72412 bytes 5 files changed, 589 insertions(+) create mode 100644 src/doc/rustc/src/exploit-mitigations.md create mode 100644 src/doc/rustc/src/images/image1.png create mode 100644 src/doc/rustc/src/images/image2.png create mode 100644 src/doc/rustc/src/images/image3.png diff --git a/src/doc/rustc/src/SUMMARY.md b/src/doc/rustc/src/SUMMARY.md index 57013e9194bc1..dd19861573667 100644 --- a/src/doc/rustc/src/SUMMARY.md +++ b/src/doc/rustc/src/SUMMARY.md @@ -18,4 +18,5 @@ - [Known Issues](targets/known-issues.md) - [Profile-guided Optimization](profile-guided-optimization.md) - [Linker-plugin based LTO](linker-plugin-lto.md) +- [Exploit Mitigations](exploit-mitigations.md) - [Contributing to `rustc`](contributing.md) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md new file mode 100644 index 0000000000000..5274c00b8e5f9 --- /dev/null +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -0,0 +1,588 @@ +# Exploit Mitigations + +## Introduction + +The Rust programming language provides memory[1] and thread[2] safety +guarantees via its ownership[3], references and borrowing[4], and slice +types[5] features. However, Unsafe Rust[6] disables some of these features +by introducing unsafe blocks, unsafe functions and methods, unsafe traits, +and new types that are not subject to the borrowing rules. + +Parts of the Rust standard library are implemented as safe abstractions over +unsafe code (and historically have been vulnerable to memory corruption[7]). +Furthermore, the Rust code and documentation encourage creating safe +abstractions over unsafe code. This can cause a false sense of security if +unsafe code is not properly reviewed and tested. + +Unsafe Rust disables some of the features that provide memory and thread +safety guarantees. This causes programs or libraries to be susceptible to +memory corruption (CWE-119)[8] and concurrency issues (CWE-557)[9]. Modern C +and C++ compilers provide exploit mitigations to increase the difficulty to +exploit vulnerabilities resulting from these issues. Therefore, the Rust +compiler must also support these exploit mitigations in order to mitigate +vulnerabilities resulting from the use of Unsafe Rust. This chapter is going +to document these exploit mitigations and how they apply to Rust. + + +## Exploit mitigations + +This section documents the exploit mitigations applicable to the Rust +compiler when building programs for the Linux operating system on the AMD64 +architecture and equivalent.1 All examples in this section were +built using the Rust compiler version 1.40.0 (2019-12-19) on Debian testing +(Bullseye). + +The Rust Programming Language currently has no specification. The Rust +compiler (i.e., rustc) is the language reference implementation. All +references to “the Rust compiler” in this document refer to the language +reference implementation. + +Table I \ +Summary of exploit mitigations supported by the Rust compiler when building +programs for the Linux operating system on the AMD64 architecture and +equivalent. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Exploit mitigation + Supported and enabled by default + Since +
Position-independent executable + Yes + 0.12.0 (2014-10-09) +
Integer overflow checks + Supported but enabled by default when debug assertions are enabled only. + 1.1.0 (2015-06-25) +
Non-executable memory regions + Yes + 1.8.0 (2016-04-14) +
Stack clashing protection + Yes + 1.20.0 (2017-08-31) +
Read-only relocations and immediate binding + Yes + 1.21.0 (2017-10-12) +
Heap corruption protection + Yes + 1.32.0 (2019-01-17) via OS default or specified allocator +
Stack smashing protection + No + +
Forward-edge control flow protection + No + +
Backward-edge control flow protection (e.g., shadow and safe stack) + No + +
+ +1\. See + +for a list of targets and their default options. + + +### Position-independent executable + +Position-independent executable increases the difficulty of the use of code +reuse exploitation techniques, such as return-oriented programming (ROP) and +variants, by generating position-independent code for the executable, and +instructing the dynamic linker to load it similarly to a shared object at a +random load address, thus also benefiting from address-space layout +randomization (ASLR). This is also referred to as “full ASLR”. + +The Rust compiler supports position-independent executable and enables it by +default since version 0.12.0 (2014-10-09)[10]–[13]. + +``` +$ readelf -h target/release/hello-rust | grep Type: + Type: DYN (Shared object file) +``` +Fig. 1. Checking if an executable is a position-independent executable. + +An executable with an object type of `ET_DYN` (i.e., shared object) and not +`ET_EXEC` (i.e., executable) is a position-independent executable (see Fig. +1). + + +### Integer overflow checks + +Integer overflow checks protects programs from undefined and unintended +behavior (which may cause vulnerabilities) by checking for results of signed +and unsigned integer computations that cannot be represented in their type, +resulting in an overflow or wraparound. + +The Rust compiler supports integer overflow checks, and enables it when +debug assertions are enabled since version 1.0.0 (2015-05-15)[14]–[17], but +support for it was not completed until version 1.1.0 (2015-06-25)[16]. An +option to control integer overflow checks was later stabilized in version +1.17.0 (2017-04-27)[18]–[20]. + +```rust +fn main() { + let u: u8 = 255; + println!("u: {}", u + 1); +} +``` +Fig. 2. hello-rust-integer program. + +``` +$ cargo run + Compiling hello-rust-integer v0.1.0 (/home/rcvalle/hello-rust-integer) + Finished dev [unoptimized + debuginfo] target(s) in 0.23s + Running `target/debug/hello-rust-integer` +thread 'main' panicked at 'attempt to add with overflow', src/main.rs:3:23 +note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace. +``` +Fig. 3. Build and execution of hello-rust-integer with debug assertions enabled. + +``` +$ cargo run --release + Compiling hello-rust-integer v0.1.0 (/home/rcvalle/hello-rust-integer) + Finished release [optimized] target(s) in 0.23s + Running `target/release/hello-rust-integer` +u: 0 +``` +Fig. 4. Build and execution of hello-rust-integer with debug assertions disabled. + +Integer overflow checks are enabled when debug assertions are enabled (see +Fig. 3), and disabled when debug assertions are disabled (see Fig. 4). To +enable integer overflow checks independently, use the option to control +integer overflow checks, scoped attributes, or explicit checking methods +such as `checked_add`2. + +It is recommended that explicit wrapping methods such as `wrapping_add` be +used when wrapping semantics are intended, and that explicit checking and +wrapping methods always be used when using Unsafe Rust. + +2\. See +for more information on the checked, overflowing, saturating, and wrapping +methods (using u32 as an example). + + +### Non-executable memory regions + +Non-executable memory regions increase the difficulty of exploitation by +limiting the memory regions that can be used to execute arbitrary code. Most +modern processors provide support for the operating system to mark memory +regions as non executable, but it was previously emulated by software, such +as in grsecurity/PaX +[PAGEEXEC](https://pax.grsecurity.net/docs/pageexec.txt) and +[SEGMEXEC](https://pax.grsecurity.net/docs/segmexec.txt), on processors that +did not provide support for it. This is also known as “No Execute (NX) Bit”, +“Execute Disable (XD) Bit”, “Execute Never (XN) Bit”, and others. + +The Rust compiler supports non-executable memory regions, and enables it by +default since its initial release, version 0.1 (2012-01-20)[21], [22], but +has regressed since then[23]–[25], and enforced by default since version +1.8.0 (2016-04-14)[25]. + +``` +$ readelf -l target/release/hello-rust | grep -A 1 GNU_STACK + GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 + 0x0000000000000000 0x0000000000000000 RW 0x10 +``` +Fig. 5. Checking if non-executable memory regions are enabled for a given binary. + +The presence of an element of type `PT_GNU_STACK` in the program header +table with the `PF_X` (i.e., executable) flag unset indicates non-executable +memory regions3 are enabled for a given binary (see Fig. 5). +Conversely, the presence of an element of type `PT_GNU_STACK` in the program +header table with the `PF_X` flag set or the absence of an element of type +`PT_GNU_STACK` in the program header table indicates non-executable memory +regions are not enabled for a given binary. + +3\. See the Appendix section for more information on why it +affects other memory regions besides the stack. + + +### Stack clashing protection + +Stack clashing protection protects the stack from overlapping with another +memory region—allowing arbitrary data in both to be overwritten using each +other—by reading from the stack pages as the stack grows to cause a page +fault when attempting to read from the guard page/region. This is also +referred to as “stack probes” or “stack probing”. + +The Rust compiler supports stack clashing protection via stack probing, and +enables it by default since version 1.20.0 (2017-08-31)[26]–[29]. + +![Screenshot listing cross references to __rust_probestack in hello-rust.](images/image1.png "Cross references to __rust_probestack in hello-rust.") +Fig. 6. Cross references to `__rust_probestack` in hello-rust. + +```rust +fn hello() { + println!("Hello, world!"); +} + +fn main() { + let _: [u64; 1024] = [0; 1024]; + hello(); +} +``` +Fig 7. Modified hello-rust. + +![Screenshot listing cross references to __rust_probestack in modified hello-rust.](images/image2.png "Cross references to __rust_probestack in modified hello-rust.") +Fig. 8. Cross references to `__rust_probestack` in modified hello-rust. + +To check if stack clashing protection is enabled for a given binary, search +for cross references to `__rust_probestack`. The `__rust_probestack` is +called in the prologue of functions whose stack size is larger than a page +size (see Fig. 6), and can be forced for illustration purposes by modifying +the hello-rust example as seen in Fig. 7 and Fig. 8. + + +### Read-only relocations and immediate binding + +**Read-only relocations** protect segments containing relocations and +relocation information (i.e., `.init_array`, `.fini_array`, `.dynamic`, and +`.got`) from being overwritten by marking these segments read only. This is +also referred to as “partial RELRO”. + +The Rust compiler supports read-only relocations, and enables it by default +since version 1.21.0 (2017-10-12)[30], [31]. + +``` +$ readelf -l target/release/hello-rust | grep GNU_RELRO + GNU_RELRO 0x000000000002ee00 0x000000000002fe00 0x000000000002fe00 +``` +Fig. 9. Checking if read-only relocations is enabled for a given binary. + +The presence of an element of type `PT_GNU_RELRO` in the program header +table indicates read-only relocations are enabled for a given binary (see +Fig. 9). Conversely, the absence of an element of type `PT_GNU_RELRO` in the +program header table indicates read-only relocations are not enabled for a +given binary. + +**Immediate binding** protects additional segments containing relocations +(i.e., `.got.plt`) from being overwritten by instructing the dynamic linker +to perform all relocations before transferring control to the program during +startup so all segments containing relocations can be marked read only (when +combined with read-only relocations). This is also referred to as “full +RELRO”. + +The Rust compiler supports immediate binding, and enables it by default +since version 1.21.0 (2017-10-12)[30], [31]. + +``` +$ readelf -d target/release/hello-rust | grep BIND_NOW + 0x000000000000001e (FLAGS) BIND_NOW +``` +Fig. 10. Checking if immediate binding is enabled for a given binary. + +The presence of an element with the `DT_BIND_NOW` tag and the `DF_BIND_NOW` +flag4 in the dynamic section indicates immediate +binding is enabled for a given binary (see Fig. 10). Conversely, the absence +of an element with the `DT_BIND_NOW` tag and the `DF_BIND_NOW` flag in the +dynamic section indicates immediate binding is not enabled for a given +binary. + +The presence of both an element of type `PT_GNU_RELRO` in the program header +table and of an element with the `DT_BIND_NOW` tag and the `DF_BIND_NOW` +flag in the dynamic section indicates full RELRO is enabled for a given +binary (see Fig. 9 and Fig. 10). + +4\. And the `DF_1_NOW` flag for some link editors. + + +### Heap corruption protection + +Heap corruption protection protects memory allocated dynamically by +performing several checks, such as checks for corrupted links between list +elements, invalid pointers, invalid sizes, double/multiple “frees” of the +same memory allocated, and many corner cases of these. These checks are +implementation specific and vary per allocator. + +Newer ARM-based processors provide hardware assistance to detect memory +safety violations by tagging memory allocations, and automatically checking +that the correct tag is used upon every memory access, namely [ARM Memory +Tagging Extension +(MTE)](https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety). + +Rust’s default allocator has historically been +[jemalloc](http://jemalloc.net/), and it has long been the cause of issues +and the subject of much discussion[32]–[38]. Consequently, it has been +removed as the default allocator in favor of the operating system’s standard +C library default allocator5 since version 1.32.0 +(2019-01-17)[39]. + +```rust +fn main() { + let mut x = Box::new([0; 1024]); + + for i in 0..1026 { + unsafe { + let elem = x.get_unchecked_mut(i); + *elem = 0x4141414141414141u64; + } + } +} +``` +Fig. 11. hello-rust-heap program. + +``` +$ cargo run + Compiling hello-rust-heap v0.1.0 (/home/rcvalle/hello-rust-heap) + Finished dev [unoptimized + debuginfo] target(s) in 0.25s + Running `target/debug/hello-rust-heap` +free(): invalid next size (normal) +Aborted +``` +Fig. 12. Build and execution of hello-rust-heap with debug assertions enabled. + +``` +$ cargo run --release + Compiling hello-rust-heap v0.1.0 (/home/rcvalle/hello-rust-heap) + Finished release [optimized] target(s) in 0.25s + Running `target/release/hello-rust-heap` +free(): invalid next size (normal) +Aborted +``` +Fig. 13. Build and execution of hello-rust-heap with debug assertions disabled. + +Heap corruption checks are being performed when using the default allocator +(i.e., the GNU Allocator) as seen in Fig. 12 and Fig. 13. + +5\. Linux's standard C library default allocator is the GNU +Allocator, which is derived from ptmalloc (pthreads malloc) by Wolfram +Gloger, which in turn is derived from dlmalloc (Doug Lea malloc) by Doug +Lea. + + +### Stack smashing protection + +Stack smashing protection protects programs from stack-based buffer +overflows by inserting a random guard value between local variables and the +saved return instruction pointer, and checking if this value has changed +when returning from a function. This is also known as “Stack Protector” or +“Stack Smashing Protector (SSP)”. + +The Rust compiler does not support stack smashing protection. However, more +comprehensive alternatives to stack smashing protection exist, such as +shadow and safe stack (see Backward-edge control flow protection). + +![Screenshot listing cross references to __stack_chk_fail in hello-rust.](images/image3.png "Cross references to __stack_chk_fail in hello-rust.") +Fig. 14. Cross references to `__stack_chk_fail` in hello-rust. + +To check if stack smashing protection is enabled for a given binary, search +for cross references to `__stack_chk_fail`. The only cross references to +`__stack_chk_fail` in hello-rust are from the statically-linked libbacktrace +library (see Fig. 14). + + +### Forward-edge control flow protection + +Forward-edge control flow protection protects programs from having its +control flow changed/hijacked by performing checks to ensure that +destinations of indirect branches are one of their valid destinations in the +control flow graph. The comprehensiveness of these checks vary per +implementation. This is also known as “forward-edge control flow integrity +(CFI)”. + +Newer processors provide hardware assistance for forward-edge control flow +protection, such as ARM Branch Target Identification (BTI), ARM Pointer +Authentication, and Intel Indirect Branch Tracking (IBT) as part of Intel +Control-flow Enforcement Technology (CET). However, ARM BTI and Intel IBT +-based implementations are less comprehensive than software-based +implementations such as [LLVM ControlFlowIntegrity +(CFI)](https://clang.llvm.org/docs/ControlFlowIntegrity.html), and the +commercially available [grsecurity/PaX Reuse Attack Protector +(RAP)](https://grsecurity.net/rap_faq). + +The Rust compiler does not support forward-edge control flow protection on +Linux6. There is work currently ongoing to add support +for the [sanitizers](https://github.com/google/sanitizers)[40], which may or +may not include support for LLVM CFI. + +``` +$ readelf -s target/release/hello-rust | grep __cfi_init +``` +Fig. 15. Checking if LLVM CFI is enabled for a given binary. + +The presence of the `__cfi_init` symbol (and references to `__cfi_check`) +indicates that LLVM CFI (i.e., forward-edge control flow protection) is +enabled for a given binary. Conversely, the absence of the `__cfi_init` +symbol (and references to `__cfi_check`) indicates that LLVM CFI is not +enabled for a given binary (see Fig. 15). + +6\. It supports Control Flow Guard (CFG) on Windows (see +). + + +### Backward-edge control flow protection + +**Shadow stack** protects saved return instruction pointers from being +overwritten by storing a copy of them on a separate (shadow) stack, and +using these copies as the authoritative values when returning from +functions. This is also known as “ShadowCallStack” and “Return Flow Guard”, +and is considered an implementation of backward-edge control flow protection +(or “backward-edge CFI”). + +**Safe stack** protects not only the saved return instruction pointers but +also register spills and some local variables from being overwritten by +storing unsafe variables, such as large arrays, on a separate (unsafe) +stack, and using these unsafe variables on the separate stack instead. This +is also known as “SafeStack”, and is also considered an implementation of +backward-edge control flow protection. + +Both shadow and safe stack are intended to be a more comprehensive +alternatives to stack smashing protection as they protect the saved return +instruction pointers (and other data in the case of safe stack) from +arbitrary writes and non-linear out-of-bounds writes. + +Newer processors provide hardware assistance for backward-edge control flow +protection, such as ARM Pointer Authentication and Intel Shadow Stack as +part of Intel CET. + +The Rust compiler does not support shadow or safe stack. There is work +currently ongoing to add support for the sanitizers[40], which may or may +not include support for safe stack7. + +``` +$ readelf -s target/release/hello-rust | grep __safestack_init +``` +Fig. 16. Checking if LLVM SafeStack is enabled for a given binary. + +The presence of the `__safestack_init` symbol indicates that LLVM SafeStack +is enabled for a given binary. Conversely, the absence of the +`__safestack_init` symbol indicates that LLVM SafeStack is not enabled for a +given binary (see Fig. 16). + +7\. The shadow stack implementation for the AMD64 +architecture and equivalent in LLVM was removed due to performance and +security issues. + + +## Appendix + +As of the latest version of the [Linux Standard Base (LSB) Core +Specification](https://refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/progheader.html), +the `PT_GNU_STACK` program header indicates whether the stack should be +executable, and the absence of this header indicates that the stack should +be executable. However, the Linux kernel currently sets the +`READ_IMPLIES_EXEC` personality upon loading any executable with the +`PT_GNU_STACK` program header and the `PF_X `flag set or with the absence of +this header, resulting in not only the stack but also all readable virtual +memory mappings being executable. + +An attempt to fix this [was made in +2012](https://lore.kernel.org/lkml/f298f914-2239-44e4-8aa1-a51282e7fac0@zmail15.collab.prod.int.phx2.redhat.com/), +and another [was made in +2020](https://lore.kernel.org/kernel-hardening/20200327064820.12602-1-keescook@chromium.org/). +The former never landed, and the latter partially fixed it but introduced +other issues—the absence of the `PT_GNU_STACK` program header still causes +not only the stack but also all readable virtual memory mappings to be +executable in some architectures, such as IA-32 and equivalent (or causes +the stack to be non-executable in some architectures, such as AMD64 and +equivalent, contradicting the LSB). + +The `READ_IMPLIES_EXEC` personality needs to be completely separated from +the `PT_GNU_STACK` program header by having a separate option for it (or +setarch -X could just be used whenever `READ_IMPLIES_EXEC` is needed), and +the absence of the `PT_GNU_STACK` program header needs to have more secure +defaults (unrelated to `READ_IMPLIES_EXEC`). + + +## References + +1. D. Hosfelt. “Fearless security: memory safety.” Mozilla Hacks. . +2. D. Hosfelt. “Fearless security: thread safety.” Mozilla Hacks. . +3. S. Klabnik and C. Nichols. “What Is Ownership?.” The Rust Programming Language. . +4. S. Klabnik and C. Nichols. “References and Borrowing.” The Rust Programming Language. . +5. S. Klabnik and C. Nichols. “The Slice Type.” The Rust Programming Language. . +6. S. Klabnik and C. Nichols. “Unsafe Rust.” The Rust Programming Language. . +7. S. Davidoff. “How Rust’s standard library was vulnerable for years and nobody noticed.” Medium. . +8. “Improper restriction of operations within the bounds of a memory buffer (CWE-119).” MITRE CWE List. . +9. “Concurrency issues (CWE-557).” MITRE CWE List. . +10. K. McAllister. “Memory exploit mitigations #15179.” GitHub. . +11. K. McAllister. “RFC: Memory exploit mitigation #145.” GitHub. . +12. K. McAllister. “RFC: Memory exploit mitigation.” GitHub. . +13. D. Micay. “Enable PIE by default on Linux for full ASLR #16340.” GitHub. . +14. N. Matsakis. “Integer overflow #560.” GitHub. . +15. G. Lehel and N. Matsakis. “Integer overflow.” GitHub. . +16. A. Turon. “Tracking issue for integer overflow (RFC 560) #22020.” GitHub. . +17. H. Wilson. “Myths and legends about integer overflow in Rust.” Huon on the Internet. . +18. B. Anderson. “Stabilize -C overflow-checks #1535.” GitHub. . +19. B. Anderson. “Stable overflow checks.” GitHub. . +20. N. Froyd. “Add -C overflow-checks option #40037.” GitHub. . +21. R. Á. de Espíndola. “rustc requires executable stack #798.” GitHub. . +22. A. Seipp. “Make sure librustrt.so is linked with a non-executable stack. #1066.” GitHub. . +23. D. Micay. “Rust binaries should not have an executable stack #5643.” GitHub. . +24. D. Micay. “Mark the assembly object stacks as non-executable #5647.” GitHub. . +25. A. Clark. “Explicitly disable stack execution on linux and bsd #30859.” GitHub. . +26. “Replace stack overflow checking with stack probes #16012.” GitHub. . +27. B. Striegel. “Extend stack probe support to non-tier-1 platforms, and clarify policy for mitigating LLVM-dependent unsafety #43241.” GitHub. . +28. A. Crichton. “rustc: Implement stack probes for x86 #42816.” GitHub. . +29. A. Crichton. “Add \_\_rust\_probestack intrinsic #175.” GitHub. . +30. B. Anderson. “Consider applying -Wl,-z,relro or -Wl,-z,relro,-z,now by default #29877.” GitHub. . +31. J. Löthberg. “Add support for full RELRO #43170.” GitHub. . +32. N. Matsakis. “Allocators in Rust.” Baby Steps. . +33. A. Crichton. “RFC: Allow changing the default allocator #1183.” GitHub. . +34. A. Crichton. “RFC: Swap out jemalloc.” GitHub. . +35. A. Crichton. “Tracking issue for changing the global, default allocator (RFC 1974) #27389.” GitHub. . +36. S. Fackler. “Prepare global allocators for stabilization #1974.” GitHub. . +37. A. Crichton. “RFC: Global allocators.” GitHub. . +38. B. Anderson. “Switch the default global allocator to System, remove alloc\_jemalloc, use jemallocator in rustc #36963.” GitHub. . +39. A. Crichton. “Remove the alloc\_jemalloc crate #55238.” GitHub. . +40. J. Aparicio. 2017. “Tracking issue for sanitizer support #39699.” . diff --git a/src/doc/rustc/src/images/image1.png b/src/doc/rustc/src/images/image1.png new file mode 100644 index 0000000000000000000000000000000000000000..ee2d3fd4f43c6727b5042114519e12917242c3c6 GIT binary patch literal 15293 zcmeHuWmr_v-z|uONP`m6NJw{=O1Fe`r*wCzw3H0p3R2SD3@~&z3@{+wGjzv2_HTz{``k}=e}FS{X3nnPUca^XS`+b6SqAIH>la8!NLX^Rl4?juD0ski{&Q5|Z{E8n ze89h_t{>zyo&&}2xp_G7n#4^?+fCik(#_Mv#RAF7!O`A=)z!?!!otDzv!fdV1uTYy zM1>?L`Ch{-;{aym_3{&G*paWoYie3twZaKsgp?10T5rAV545dXXF0w4Ym$LIdf(>?$#~Ga3wsaKbEFasw8Dk4 zd!xnk>4)@fPp#x`B+7)K`sE9XJlJ%1@(-lFB2AoglpAc}6K!-4AGGJ@NF7db&=%`Y zeHM>iz0+iYUtdpK`5GzWD1Yzz6<)vJzs}$WxsnDN_r(fxFkP%nS`9eEM`MY_#4}n- zQI7*4>V87&o*vhlzm-yDXBGsqx(wI|XM&KDx<@~soE)A3CY*H#qD z+%OSJ_7+AxNaUfvTH}RIUu^Yk^~t5w>Y^W`_NHo+r~L=PW#I=Yz8tWUbE3tPZk;^p1|t^(MH$#5SxA#L}=x zWAHZ;V|_AxC(3=4S>pP;X6~^Jv6lu^>UVK^z4=r~d*|F`8n)wRb@E?@&)pD-)7N9S zVnq=XEu6o19SOV;PYRZDI{Hpt?1|LP#J^Tl_Nm{NxBV&61^ZgEjxChXC5zaV@Y`Vh z+Hk-$dP^I(qDM@5R$ut?19h9MLa5ks6uyoFoEtChCN9r*w(QM!BKA0_GZ57%1cu)7 zY8*Cb3jF(2>#K5_EXyi>M=_WP9b|CBT8Yjz4nyv!%Xs~ZgV&lr3ugmwkMEwGTa?N# zQ`lRl@P9vxOsd{DSKj@^_|90_k&R+;v~mtz;lO_cFth1-xRGVU&@7!IyJFI8h46es65STpB}XZM!P>GQzHzRg3Gt4-D{ zH7U=3TMmCSZ-v|`zB%9YARJuz+jov4Y0j*CB7?DJmSJ+TT1rNTB!;3u*{yJ8+I@Wrkqe{U-jdHeOn@>ND_rWZ>%@H57 z|4cFe4RLl6MEDCu+7tN~&R1dC7r$&rV}C(780~3VQqX#=I#d(G&VcC9$j5kt%JZut z3>zBJ7i98qfA=r?U*in8!0{6u8aF=}Vb2$TZ1qB?=r=WmJ#&1KRQhfhiJyB$2RkK`@ zxGJo8g*7S6dhg%rYBhM12eV#Bp%H6bR$!03%(w|anftY{P5M^jjR+@l$(Rta63 z=d;W(7_3((^Ge?7kr|z(=`)`-(#7-sNqc*~lk*(U+c<@a4Rn%xfKIuVBj5=|g$|9} zS;p5>3M%rEd7#l6Ug3Uh=6B>9j`yPP2<~53_HgZN@ZDnnZPM$M;>9t$|-JP^hlvPt@W`z9{CjqAv#T5HW z$pzUSa$@TP97tnSe}hS?#>_8Udv1Yd zht~v2lmCqPPZYqi;@Q9V`K`_B|v8?bEDa?X@;Vm2_)YG!lUYwe@SE)hnLjSz^q{HtICwFD~hEtjw8!sbKAvZW)CKz`v#gW4{b z#xhJsySY}2H*T-5Bo*1u^FA3~2~xwtLu@#|!lYYZ zU;Fn%r+v<<(TmfcaeJ(;l}D@cr?P4fCG9!vSR2pT&yk@+%vl^9v^gpkRx3%r^naVS z>5%N?AcSx@0e95}hU~cXDs}N4(QE|5W9vJx++T;1hrzOxW&W@-)^JnD6ytn=*!4uA z=(S+=vd$;ylY%g&!{>*>9O=avR$%8ZJrx?r_iC%uzO&ZeH(ZmWdGywXHPS`1C%SLD zERdy?&UEQ@zDBSA*6NThUnd3$9o}qjsPw02c9;p)o1eEk`UlFv-Y1(oioxL`+L(G| zM|FE*3v1!^MmKhm)v#OgW~}tP&7BC>%HD2M6|VjyJ3+=C^H>#p6r`dVZ&7YdPkx6M zJkUyoSqf{vVl2Z_lAm9H&q_wBPdX@IHfkCs3T;|z@St6Ch;3}}KfNY^Nv<1OE{rg+-w%ae?lGjHe;$kK zw0$sLi=HIK`WrbC(ol>eugsV)jdGczptO|r5iQY}Bg!Fgr?5YWfMR{133IY$4!z<-fu=gA+Mc#kD+O1u2wW5eg7q3>&DT&araIOt8I zd$`Uab#lPXu=IZO)v>Rlo_YJUa$PGyz6g1`RO_>Wympwqp7a#;>I?gL;ORK^#Wznp zBSX0({xNTb1b}!ymjB^mf-d6oT!Wyn$G&204!o#|3$m@!d%Pl(tDdo3q`;q4uATT5 z@84r+En26a*w1^cFZg4e6L&YAU8?@tJG#e!h9|8rN#Rs-`A-e$2UvR{|vSY~Soi~ScJoe}MWwN78PBu&Z zL<7i>4(4m+j+#B1VX1b%!=`p!y0Zf71ea%R$AWRB+hh*rd66r0C#P7gJ&xBI`R-dI z?8L-abeb~wO7-$>uaH7b{yGUv)Ru2_m{w|Yxiu33RibI7g>t73Te1*hbacGuaa>A3 zU-s*-+F+h*^GEyP7Ct^@J-GwBur~C)Q%d8r9Y#E)M-5w=4b3@El`f~)@a`V=RMbaA zL^vmb_p)JbzBvquf2MwF9$epEFCd1pxMRVDY?iB@%j)It2|}>~xAL3VjM|1ORuCU^ zH4SWLt@{eh#Cjd-3yM}KC@4mVX!qY4+_eNgApg+}e3?GHsUNU2u~GAR8v9E}Irhqd z=aPcDC{nfM=r6m}3Adezh}6Ilc`n3Z+{5-%9_a?NX6~~3sLPS5Ip|6ui7nS;ZBwI6 zH(r%8Aj5p=uU6P0+&6c7yqX>BHLumfJxbB}*~*)Tqq#K|wIX?}KN_XoKYl@w!XqL~ z#uUoc@^tN)v`Xb}Vhkc;Vw7EP*6-uyJsc~w)nEZj{*Et4#l**SW>PBGyjJ^{1jw+n zeD9@JS62&Xf1;ng=2;p01xcL{10ubjxZYh!GGev+?V)S{pCdGF|MqN;f1=V%n2f{?%hjr;kqpZmaX>XtUi-w$-Cyd zQtR;+#=Go*@4$ySY}T9kr%#R;%me~NqND=(Z(XtN7wYou7iLO~z;TC%PDo_fXrnk@aiLhdmG*nD^rY!W zARUBy25s_2A)P5-jbNZaGai`Q(T`~DY~me+-d+evw_RX6I5?DfW-MN)Ed+$Nh^0Kl z-1Y)d1_c5x@Rl=VoHFnW)NV7q9NZ3rWdfb7u<6GC{*p1HpY;(qns@5hORzC9X}P$# zpxzep$vKwMyYD*J>K;-=5@%7tlJDLrx3q|m@Hio1-0MDV{{|*hE3+eMa)XDbr;|df zu0GZ&4$Ly^JB}<~wHyyn`T1Alk&$(sjGkG|xC^g%=9u+*45e`seJLz_t68e61PplQ ziC(=;T)qpi8s%g^zb)0R`)MAr`jScG2h?>F`49oV5pdna92Gm^A&d-}ueCYe&aKT@ zHmLDJ=e5-+@F-2wW+BYld3Y(NQ%%nZwoli5iiU<<54SB&PaGRF%MkH?!Ozb>kj#wn zC4G9J(REAEWnEm6p1@)tp$7)Lp+Ihb~Y&C8wZ>DKB@dI(hO0B?Dn*T84{<*HK&!{@R_vVYtkJxw^LIEIfRb?;2B$g$DXYqP8mWHQTL zeMPoL?5#Lrn*fMWvp4oE@PSO^Vra6)b~cpFKnO2jlLZB}O%iBIrcmA1MzZ15*(;n> zJ$rG>>QpWZdG(*~kd?DUq|*6HxdcrgR})KpqU64~)0bT8UmB%qg3v4a`2MSg(pKSEHZ;%~p9h@t(b1_w&!1n1oA!{0}D*E_u!}K`{x)l?fL6hWCOXHPgr)LYt zUmc_&dQlf?;IPRAln=he4nt{%jqFSo=+t;Ij*33eM8D?y`61-k`p<8@`d(t*-8aBU zJ)_O&)~@xzLSoh9v6>ZcPQBW)v*RO;i&GtOez?CEe2$K#RJjP`gX60P_K2vcRe+-@ zrW_hH!CKLON`%$jUQV*_FSUkk4yVzk)*E+p>IDQst6m9^p<)mXnZWl`hcZRuLohbg za;1460{}#)@Hd?`y}HD#H>TR|N`C7iozH%#$$d}IW51z#qm5Jng+b zJz*aSEQVHF^;%Xt?@sL~Mj8NYf=f9K6wbfo7r9C|I9}sTO0SqA8w*!C+#oWW)bIaE zg!Zx4=2eqBLaOn_C+{j5BWwzhr?i+D*H^s}idkHVOw%@#EmEXg;};{D!c{lfFpWQI zK>)@Ds5eT4wa7bt#8pbG{Vh?@Tcih^ulSzHy6V?YG^k1_X9`Kh_h22JpDS~fPhwfo zgSbydp>F$QF(TeB1h_vYuXc~jJvWCkV<9WXw_0nLJITx2*Iu4t*IqoV<-*t5{3;aE z(SEU3*`%@;6s^!Y|6bN|BDvCXe*2{ldv)Z6+Ks3vXl+9>lrdeSqp?7=p8D?UFlqcz z9-JZnyjX}FP0HI6O%Z=%Aiod`bFezJmDriB=LevI-l(mm<$m5670j0~H>V9ipf?

KR@jcPD;-UTPki&NXDHf&jfe<2jHIO*4F91)QW=@`{f1tu9pL5*{i68%M&Ajyb z9@TwMY&V1Na+*4UQ9Vtp)i+;(oMuO9;dgj=ALPIRj{6{&Z~M#evl+1Lbd@ul0|NtPdhBC;1}aZX@jFR`k{B+RLqfTuWrz zE&OpZB_;Ji>xx~wi3;4zG0kjm=Fh1vvKO;!lzAfD000lKF>tZ8 znVU|KV0^dnVzL$g-<$npA(8pZxn$Usi+g_At0B`wd-c6e+EgRhN3&ouV+B8Gbk_qz zo2NiKGQEsQ8>ij`tMPxH=J`8Ck{BD~S!7y8Z;De_N`(=p8Q9b~R?g3Wv!Zvda^V0t zD?Xbz2nl9Xw8}K-K3ySuc(uCT5sCMJ7i|0Bq~yq5vku!U*>pExMyYQb#|$ls1cJ6?)0Vu zDYL{^2O9T+xT_g6WhT5fN$ewIqXEr#Ga^Vf3GB)bY)U)Aw}Z5k;v|caY9S|dH<=cs zo=4DfS1y{CFiqgL^}^5BNFHH9@hfdcj8%wLqJi&xQ z1CD()L@K$A9sM?iKU^qL-kE-thSFa=zHmF`CHQ2sK`up!9?5WLI_B_%D3!;P4hg{2 zc=V?FKQd=7-F>N|q!!;dx5}p%Qoy=I4F$;?fe6z@$CCb!P-D z6T@vX@L|>d+^zTxU660R*(L~!?73h^#zy+{ft|47ET7i8y;UwulrYG9{gz?DQq2&2 z4Q8z<{$8aV-#wpOJ}bIL6jy<**^-YL@X|fJeT0m;8)kKqz4^%Z;rgiQNl0daF#j(f zsOcOzcG5#@q@1gkpl8Bs4Q7R8%i8CC@WIANRllnnzjLw|O6uY@_8+5xv&|JJ;vwy- zj>Z7>;uC1ua9=7UIgTLz$yl{Liu|jQLDFoMP7cf$TNsgyv&8s;5uP0fU zl2{%i6qr7l?Feo^ZVT$L*i4rsow~U`f_s5zKriF}#ov#6d zCKvh+Rs;$;=5pI-7r+c!8FkB3sGh%dyx(T?|%TR$g0v(~CZ|5(%|aR&UV}f%RuIGx&!E%E8;o z{4UjSwyu>*M<^fkdx#uGl&a@np$mG461p>SZbJ~9m_c?r)f~s&@W;8Ztv|?<>}Y8@ zv(rM2%8->@rwctpbp9D`_P(1mdaJjOw-f;9+$?vwQ;eQA&G%_sMGDRkL3x)skoS4H zP{`5$NW62@$owxssaKH<>C%nmi@iETu1}+>$b~iry`n*%g6RC=^aG(2HJ6YH3>I=g zEl5w$0tI8pK$IsRGRq^Xp>GYTR60czZ^ayWeR0A-thR(pKIfeCQ{@9ubfj>3miobk zK@=QMe$=R2!gzG6TSo69D?MpH(Nuq#n6-lqxsiRb$0)$zPHN)GC<3a+ygo#uphB&H@UcfOh@)@SGU4APl;g+ z^_|d!)n#&5Pxpy=`gH;uD4SpGCK`~HUiMS^sjuqhZ@+1oDG<#Kyp4xhi*Qf@XF0J6 z7nk_);qgTHY{&bHd?r=MiWGWJWo4<#@-gCj2<5`2sEeS31Tl&-hD}4q;D=v^iKqTK z=ZlHyl~8hkpH?S3<`_wYS%`dg`rBJ6q+Lz6?q6f^B}-LkVGtmlnC$~i_%!(P*T*F)mrF~F`J6KV zi9PmjM!ntmOJ7gF?QJO!`bKNfEH;OfK&-t%hb=MFT5s zuna{87`zOySA-xlpK6oreKUSaZ3<{2+hm1trVj2ip}fRTw4K}~avj~&)Afh8Of6G3O>q>Pj{ z^QS$QI~hOVKIepg<+|Dh7^RJAv4d`|DMlnDQi(?|z#|!qBwT)kHZU@|^YL;q(AsaSjCvXWre*emosF~;gTqUCJT3%9;0=u4U#Qet(5&bhSJ>m{JCM<2&NiFGUa1%k+HFYO|IZv-{ z=u!zYxP3vH9G?8l0nnDrK&l{DOYjDyz4LeYPco7Xa>(}zdO?qs0;90^92>|3!asPUqDngFVDo)#$sQ2mOT?=A>p!cpPN ztXM?rgQT^(+UQ4@)K1nma)!H&=xxM6-&;|Xq-}Ju1ea>VV2|DDPL+MSezPVk1UTG#p`$pek4iq1ECu7qp4n@$V&zE$LQGd~2obfhsPvcMf(q z{6fBBpo{>q1|3#@gPX|$|2Jh_Jtsgd09dO7&@#_cm{xXH5JoyGrXLaAJIuO+j85su zzI6kD{mF<{;9twyu}WtpLpU^MYdQPN8`c8OGJ=egc|>A;G8({M0Dc@2)_kMHnF+>~ z3IRQfSHu`v>4omq)n-7e1;g-BH~apRQ9^?yJ)k`XmtMY{g)*c~wIvY#cp}q9TuC6e zjEXOPqc#iN0C(xtDw7?F&{OfTWfg7{yF4>j0g)Lv4vkiOH@Ol}IO_CXArycU5+6n! zD|r!S4tG1e{2@630^~!m;74Ogtj$>V!Gt5JD-%D%o@gB7smqeN7J|s;?&Ym%z4Ng) zRreR0Se+19^mjT8RiN`TcCbDD9u7>OnxfeB=?`BQzw-Q1W$V8^1-guN>(_F0biP_i z7+YmInB~SQPN!u1seL%DVr|W#_E;9)P8&F+M7wWp^w2bo9SAjz{UNTUytVbs`&)%D znPjg%GF4;&nhd1VSpXBrziPRDM?Bq4HYXHWb_O_(>?**j+@3Gt10o5fJ*RfTdh#a| z-HVNG^KU>Dt-p|MNNJWUeWAgq-ld~FT8Gs~x{kQbs0i3IsnzYvX8zK{J19KsXyd;5 zqVGMh1td8+vFo`NNk7LbR;LYQLz=N$P$;6gD%8s3(TpVFFAkZIIwnYgB){oZaost7 zwX4DQjFvWUdXP|QVrI{5XeT)uSo&s-@Ygu;j4NQtHNf^ z{`}zYqXd@Zwa4e7O;{L!D1c120w6T7vwD^Nz(=%PqVrk(VIJGZW+4dJ=G+PKdBBN% zeZ7BQ3-VGkKm>hOG4Gmrx(6r8ZA~BaSs7Sv$ts`96|4$QPg*Ojxb71h551-?;176@9U!>05`L0 zMgN^t@)4P*xuhymhHFanQcHA1pp}UE6IUUgvagOaEat*oGFI(E^#6xe(|%((KY$$ z&RF;tvbGdO`p2r13z}W;y9+-rk?}`de;OETv@Yd2ivuXOzJp-K&aNv}sCed&cf?=x z^7N-tC%5v$M)S_*mP#xF*H+*?75AC_D|?WlYNAVz-5gr8DR!fXHvp>$czs2K4e3Y# z&j=w{K!%zQOT!F7zHtCKu{9Wv;q0ejCWPu$@8q z1CpG&7D|6LGKuiZ+&x3JjE{IPI{z23C!y)c&XmZ~RUkgK)0 zx@JVfCSLBv2D0S=qK%*MsvsZ^F!LRFEJ<1KEkSNix42M6p=n?C(IqU}Qg~wHtwz*~ zKcIh54z9NF{2*#is%bX*>thT9d53hEGC8_E- zrSHnG*g2yO{?v%wH}$o!0Zx zTRktTP|PSi|kkX~g$N|5Cf-I>xM;4r3>WDikV7NwhLfnL?Y|qDy{nY`rE%aP^~ns>45Nqe+4%UH zwGZYWXpY7QMJu2OL%Qdl^IB0rSRejVjhPY@1cZdQt5Zivi2Q80&inO@ywWqYdMG8n z-m+H4>!UJh;uSUTtqsJY90CMw2CG15U|k_!XQ5 z;vdg6!xxv~Gfw$6u(W>%e3G=PAZL`F)S`d)`hw&D`^aPIqLcss7ynNNVP;R9Oss*w zdKJ*U9>w(FMFm_gx0)yTc}ku|heF?=P8$0dd!{IYS|t?WjB1sM>hR zj<3wffAaQ_+iLq^=tQGjCyb_B-W5+Fa!tV-l>@m)~ZpFtj;+fpzUUmZ&sB zOhp}#$R7;=i{2PWbAf-6M19UTZm*v2@_z0F)cnO$Scc%8cg})Y0@J67#Qey|kr0`h zIP2U!5cc4(IHo0JOOXJS9oMa4G~>I_Xus3(&plE1;jHO1<3Hbv8hRaBU_u&luOB67 zG4UT&7K4Wup}c;VD>s;dwof1Smn4o%yDtItX1y=&Q51euzIVnY|IKumVG})GtB+X3 zv`x27?eXV>w0-CaJJQ3A*$Yu$j{>(HH9&y9K85!K$_F}@sE5qi!9smD0fREvb~kcE zW20)Ln$&!qwY$u$>c0t;-7Tp%q&=v*xe{FV_40DrbrV2h=v1z-U%<8;$;dRn;=q!4F;9+-jb-5D1FTTtDkZ{=7Li2k(m*YKy!WJlzWb=5yKb@mR7%&hj$!5F zOKNBkKmv5k@aSmwBKv=ljFZkohX)A-OYBr7W|UJ)gf(jP=hoUDZH~>7@a@|_N=?;- z_BvH|g7oo>&<)=+@3aXE=1Rv09q8uYHb!j?t6?n$7Q+N*X~~aeH=^v zRstJ?iAt_^d4rlRV&P?g`yzo&FJds6y?N@<2?6+eA|5^V((6|Qrw8J|LUUvN`ftE# z%bmv6hEh01{ShPogd`dqvHxCg|9j!#Z?PI8PIt!t_2Ss6;>n`{1%h^A>A~`!#Y#Em zME_U~o^u4~`Tv~@-f9$FZ`@aGx=hs)UOxeb2MA^H`yyxV*J?&qWM}R@fO03be*QKB zw^0F*p3%9aFE7imvv%DoHS~RBYXPgf3i9ua`sHxf3pVJ z>)<^p65pS2*uz15x{6^p-;mVkYFTA9Y8Y_k4svZQEDSzy0UDmd<&AF?aE8?zONnMY zy~`VQeMlhPCjRX}kN%7LAWeFQ?~H# z$W)3^zu_Zj2Z-2$kH5Z^=z%)~S!rn#7@96}tYYCU0*6;o*qrQy>uNAjit}qDI@)a3%>un;sO@GO6$WQ(G6qH!3$)KlMq()byS;~a;iYcK$Hm^eW(zbEPK;RLmN%4KkvkqGB*K%z88}J_}@h z(r!~bQ7Iu@W#0d-pn!oL+i%Hx{pJslpSoZ$^7#I)uR&;nPJgK!u>ylibgEZ3H>H7~ z$Q(>!()o6NuwYuN>s?}N1tc$uLUXp&&S#4-*wM+El5=Wj2!<+P2`SNJ{)&uz3ZD*Q zojof8y5N|dh4d8l>Bk&N=X+Q^<(DG$g30FDc#Sd*ylSZ8l8Cq0dfY9Uh*vnw_ngbE zuh`4S2gIz!A?oY4RUQ%vcL+kf0g!whvoCeOrTq&M;3yRkM=S(>nQPG2t^1s$x)LEv zKLKzwoD|Bo^mk596(=WF*?}v5lz?T;p!xn6V6PmpPBvpxZ_+3-9~{_0WS_de8wuO( zT$N8``dFm)jB4fc)d>nJ9x<^j5I2A;;qUb9a=WQ=LsrLsJEn+3JGR!^Opic$k}@)8 zeCdsTS6t4{&JE4YC<3v;5}i_o9q-=*a7s%mWBl>wNh`oYhKHkpv=`5sJ_@t(2_1lM z$>{5o5wRI6a>fbxo|91qh@>4Xc;Zr0ssQg_9dEdfjDqMe02j>2XjT@5eoPxC?Wtp= zxrZG@IiuaOdOXKMc&n!2((C&xW{{y$Gs0ptE3?{agkG5ac8H|P>cTa^VWx&tOiauT zF&-u!@Q}FJ=xU*nLIXkvJh39iE~x8nF$-vi$Hz2$Y}jA)8^0B)wh9@=QYPnDm0_bb z?gFfj$9A6f?ptdtz~4a9(XT5U9|8am2{5}BfQ{v?YRjC`;7E#KWUcM&5m*lV7m*zV zI0kJ*=aC={9;$V&DcIvW7Yn2&)kcg!dhAk|lhXf9H*v&*-txuI1#8+lVuN|(ukqhOyYjzZu ziMf?2P2&ZzJj@*O19T=&ro8R;=!X3%D(aHS(_+SBTx)2KpkAGW8NB7$oE;xP zeCAp#m`zL=KnC}pW#3Nbk9IlKb9*j50cupOAIT*lbKiV)OT`x`u60GkcXfAHx^A%% zvg^o)9B&|P&m3?{M_-2nISv_@f&xyq`|8yzsdvUmfR75vp|M)8+l9V#YG46Qc-<2N12d?ig5VL{foH!UV(JT{jHMS6dL0JoSb@mQHM-6kSa01G z0_N8m8)(Ls5pmay{la5Brq|n907lZuA~Rp0Nj{UFOMwXTKN@9{v046tfH#d^l9h(! zy&RAlX|0q41MZz^)C-ggfP^wtHu=MmUa@P%iMH7fCKL-0Z%x4V+O4$)UfDZZJ3Jds z>QJ?c$+*8~F{%W`WK!mS$lJyAx#AV7ag@nkLSKWUwF-Rs^Qm~O)R%qWQ{h0o=(P|+ zV=~WG1~cq^x<}^r%@p_gNaA$`HUKZPYrW25G~ax%($uOoMS<+=JiFkYM+MUy*om7+-Ot*1|_w}#d#d$ZR=zOt*g>elik8`Q&dF}?3Tg|=N0 zK6-vtmhUqJefcVv!BjM>PomT7e!EQTKJpVb!>AU$;THDj`*jJx*FM4=WK>|f@w(-F zp0vhscE)?Fgfvx=UhMX-zkD*ARIH&tu>SkzzDUtZq~xn)TWY*bzV-Ty*C-kinY4P? z(V9x$L!K&RFEprCV%j-tWNAYNY%B8|AKsG*RWLxWa6T9vT#__=KZ;|ArlqJhP7=Qa;Xu(pc literal 0 HcmV?d00001 diff --git a/src/doc/rustc/src/images/image2.png b/src/doc/rustc/src/images/image2.png new file mode 100644 index 0000000000000000000000000000000000000000..03061e1f0b12dced3a87d9e4e913c1d47559f578 GIT binary patch literal 28772 zcmXtf1ymeO(=`skg9LYXcMYxy?rsagS=^lf3GNz#g`k1p?k>UI-F9wE67m{Iz>hDI z#aG~O0#|7rS9M1#R}WJcODK?oqrD{y*xbd^(gAGk=z0d*E(!%j4ka)3QNuIqINQS) zr+2BNy~e{P6i0zvJaob*K4ucGAOtBm_$Or)uJrM*Sf_wAT%O9WA=55w@aT8f*{fWn8VY3T+lG zQwsLqYwJPv!si)1;l(%v-Y09ddYn*V!q|x#b%vXIj?+vNeaah%B>7?7E>!WC7`fLi zjBTeg-QDk*T%M<>Nvp9Ur+YXg$%LQG>t@+lNGG<5b|jYV(nrkL_{MUR6g>#q=+QLk-)yM2+x=(|N2`n&RiN8Tvb@8t~SHie5!mxAS7*sDTc!FKr) z-{k8;kAoccbNv^jMncu;cvtLDKVJoh)yuDV8ls#BT=i-CQ8$mCeh4d11qXTv%Q>3@ zE@K!^j}p!6qa<1}nVXS=gSL=%9U6=>wt>6t5{~4jD2@4_8_4w^ zXX(wG?W zUe@-CpX^|FS=A1bfzeMH0U1fyQ!eu5xj^AJ1>t1KX3IsI;)h*ZAhDfrPaN~YO_r^l z5bph%XsLa-W>2rOGN$VVTjSF*nDR*40ErlR$+f|qbV-Ty67yY_WNom=%CjMj*7iz? zu*`O8?(<$1wn)Ze-(g&SETw0h_LR$`=l{>T@4WOWLmOUhBO3(cvJ4?CYytJS3wNTc zKEFgSz^i-T#l}?f9?hSOA9ecLg~RMkzwfK^MFz~0(*1;>2y6OdC+Cs4F^2Hb5+ltlu~`Voscx4SMn}SG>-8$Cgcww-Z5arZl6T{>S8mAd-#P+}6J(nc2oIwHw(H z2lxp-g@oEG6lnXazQp(wS`#_5v>(J9#6Eqi5mIG7e_du`leQ;z&Vp@9eT} z2(Y!tC>eePmnsQ4IY4rK_fAL=6fG9v>rTqYvNE}od+EmFlPb(HVt#mU=@Yofs{cI3 zf}=h)?89g;x4Qc0IazC#WIqv&7tUS$O`DcOwDnY77Y={3I< zJo^Zwy#JU9{d}-g##o5)Jl1d@!7z18N_w`E^nfeDeq2~$%s~A4W+J!htN7;2O27Ow zg5cUz?CR)|n&eVX1len6%r_U;hH@0XupFzCMYJbB`nV4)KNy}Z3! zTiCiGP3it~A+hv9N=xRQgWXcNzCI7N;Fj@+a=r0CakPKGqf6u%^evH%nS#}jl$&pU z$R;X;VoJH*xWMUG_aR8DDwpkE*)(IiJzgy4XaB;XSQujH5x9mBIamtaiiFGA*8B<4q}QW+M<>nfy>s*SKZ7Os?)i={ii zdycUJi=Rij_;NA1{2`z4orUV1+0|7JQ=owS9rMTG5A~_Vm`dSiOI4B{+t`Ng)venHfqyB`INDbl!)G^#%vl{ISz( zO%HUjEYU0`P2MHlSYK>ZVqFOyNG#ROMh((DoT>_?XC~>Aw31LzSv0PKOuK(5k1ptH z>$MwBF!^pz;#E7y=0Wsjjx{1R4oQ23(+fr2pS3&vvRJo80QWfATBqEz!j^{6@^E*G zjA8bMAv2w`5EV3(ZFNBlO3zD*_gd>lvDYVvfQ1cWsp9XIhOw<9?cPYx1?J|*I4;ul zqB(U(z5RhO0)z=J!ar%^D=NFHi{RbZ==4|0Z3xU2OAkFMK|Ijyl&P5a>D3Ht5&@#` zzYIYf$z}~&4*GEIBG#R)5?rs+dhqN5J1B|9I-bPyRQ1ku zRgC%mg2}%g9*a~p$lHEs-EoC!ZiTbVhpw8x))KxHk2WrWhF*&?ykU5I2mEZWH+KK1Z_f_G?s!j-4yT)u+gY&sN(qS?r$m4HeR_&L6G!)=^?AOKX zBOfZ+fR(Y$18_+I80|M=mIWQWHMY^>xwqpNZ~eCE1Vbjn2$`VfG?6pR!Jy=Qr#bSb z6!?Uel@R^QV~p-Ev0A^;(O}&9Jc9U9W#AkX=L6JRFI}0G-eFSU%ld@O`B_E!KyBRcvXDqLgmU z#EpWXvKmQa^|?LvD%=4)k?C^ruYy8kQOQht6td}6w*&SMp@B)X(A|iYQ{fNu&vw@P z7M7NezfeZQm1`PV4jAH_U?WVM2Irriswn=E=QYwVPsYoqbf4&q zQ!9>(x?2dk?ENF*zh2%e*SH=*b&XX=uiUvyk{`c}gANova+U2qJ(K-Zt4=7WR^ug* zE1lBa>}#~+M6JKjR*9uQFJ21*dYt`y=N9J=}S_%_<}k*)G~Uc2o->U7;K4oGjd znHN3$1P&8)Ei50(^qgz+R!5PggH$=*BTK*kVMd7)7H*D0Cj2a7E8JH~Sh(a?bod*- zY}D%|MV4T#o>RI>wVEy6!7J(FS?_WPRQ_HKVp9&Rm)7*vZxtM34)Z?Og?t|f6HA1I zvtizHI!;&wnvb}HB3u(}w-v-iG*L-b)iG^Hv1nMeUP9HC-h(#mr^(YxKiPlO4qkf* zYeU26WmwF0&X^2X;k)yXE;!4DznumpX~Q-NWxhw?L^!q*oKS{AbQdZWaW}&QO9%X=KR1_~m<#Cb`=T-VY zLdotPh|MAU|7(eRq3!2>Ifcm4l=}WAZdBJjT2KWUkLe2?TtBL9tdArln zX@g(K2;mOfaYjE3dwx7!QvD;@jS}UZI~0T;x7`eSxyn#XY8sB4@+L1dW!Xs2FHbpMaQHk{C{kGaR5a6$6Ork+0bB40?MkVdX=D=s3SBAxJSq-b3(O9(pT6=cU*ZI?F8ImJXqMU5Z%$4ve9Q4TbGh9V+By_Un5L&p&3FrMuLM4+-S-*W}F2A^L%`}E|uEdv<2z3cDpi0r#2ZK6UsCa zHR(5m;Xy&{e2U-{rm`lba(Ig6BvwUH$vF;8t*oyLxmcracKhK>B;5yN7PTy?g)(_6 z2IGLs_uhnpef2cnoPU#0LZNtbz2XN_*+$zHnw(>@+PyHC*h%~-r1b#LfAgX3p**{1E!HxFO#9+%8C2o zg$+8ani-i|TSI#}hE2n4PHtJTQ11U*_ElAdPzh%iQ=JMyEt6U@p06yU*ksWoH`$pjUszLm?H?O|#_sM@|`+MhRonQiV)5>IP;3N+pSu`m%D zPCH_0j<&bml7z$pVf@6JN;St(k?upmzLFnmndij#j#vNmdp~L2tH_(n7>x3V_+-}{ zOGr+k&UF~oz&vEfC}tF;2aR@#STE}34O-P`NmgsoRKrwA#~`mDLd0*QT zD65aALwD8Us55jcnCkx<39=*3kitHRpqu4zN_m*-w5H}$yj(>8(jE^-tUx2)wqZn9~jC1cu+U-mhGJ(Q|(aak|YL zEl2&|@;465Vf`!hFm``!Mx=o2?CjJiS4+$}$;%fqTa5ooOEkL9q| zD#;`C(VU~jCI}m<;iS$;^y;w5=zND6Mcl~E5J{-s(dBvNG)3PFbe*~E3ub~kzU{iX z6!f~pv7N1;;-(Ijj!vB{1wkZO$f`pWQEDo2=kRzlzq4e{HpK|7E`G0D3h}b#ixX3GKcJuXi zac)58hSPax1h(~38}_Jv-A19d5giN5sOAe`0(|~`BSJp=L1n)By+<a1Ej+=s&Xh0RmL0 z8$HWUym0i1)u<)OLBs)eJso7ce#5uQtRe!{{=ysaaC11>9w25l`Z7ax($Oh-eIyna z&c_Sd4~dOSOWTfbv%bI*bUjo^v?}-X8Sx>t85e$p$zS!&?1YGRu#hxYgT?{A_yF9w z>@_FC?XZ|oH0rP!hGz^-&cgD&SVmZJYL{=SK$q#^nne7|moGs}#SQKQM~(FhcKpQX zeF4|+0B_zYnyo)SJjyp1AK$NE+qu}FGO+yqx{rO@>PR1M%KkJMZ((IMc`@tY+EPpO z2q9~sJW>Cj(Y+derG3@ovBfkjp*-TVyUu9yz9D?LZT&8WH)eh=5^{H!7-_fsH$8nS zV58D9T25Jcr~85o78B1SNYo-IZZ5;$kDFHzSU>4+!hora!nqn)qT znT@K;I(9~LL?Tv!r!{+g)~Yn>KA0+o27^ZWNdpql>;IZhg$H=92R)`e9}#P}rKMqi z^WF7Y^}a%zEx*si+SoXr-)KBq&y7xDcR0pRVKbCFS**Q0K7y=~jkDDM1#LY9+<|V4 zQ3+k~pwx>;$wjELHJMVY{ZANW+V2s7jEcAF9A%sHS?n=*G_#)FZ77ymmpgZQT7%a2 zi2!O`lqUTSMb-blW_3xm(%C{_vSAWP%mli zfe1H8|6XI-?(Xm36B0^1d$(=jE~j%rJY-^gqpGS@D5-`o=kvSoX6!Nj8Lm%!h}y@} zQN&$bI0K$*gO|J^u7!}}f92vkb_>Ku%{u1_r9dU;OMLHQ?)g zj!!wlVY#_vXhhS99pesr#|xh5q{5+?!QMBAn`dVM@gl_yDd~dt2voWLlQ&Po7xVce z#^-cUK|w*^{LV=FTE%iexjvDpM&3EdxI@OKk+=W=02$&P>*BkI>w~G#urM#>XnO38 z2O$=gZ1CRL#qkxJ>6B7{9|Mi9t}cFf=U`&-FP)2UlnOB*O18Hx7?Z|Hd!#gfb(G9c z;Tfdxc|#5dLu19LXlTOjQ9exmGL@V&A^G8Ypa#zfnmt~#p7|Yi^sw6M&2D?^D15yR z+mjWqr(IB*(0KR-qKaT_p!%g(S@k}>Vib-(AsVYWBCX*jukNn+GYkR|i~ zy5w*q{rd9E??)Tc9})W&u>O9J=ht89G<|ymzWx2{iiL&c2_RFes8~jkYP|!=&-{D= zuS<;}T$}%a{~Q@!q15q0b85G2%w$;!B-v;=^*bsuGPN-Cw{g*I@$w8F7eoCD18POz z1_YZ7M@e}V70ljfJi6VUcXLqBo=T|kmcs^e>b_X-RWo)+GpbECD6L)vQ-vN@PUHQb zJeArkfylpnB)b|M8Tq-RY!5v!G(^e45t%LIp<1T|2ih9<-j0lp&Q~I+K?8E4>F}&Q z=>cfG&qr&s4$jiw&#=x;x33L?uBM>%S`(g!A=(9iHYMdx?$5FKV^dV&;Qe#caM3#? zx1;Gi{d(5>I#uUqOdK3J9cy~B&v$VdJimQftq%VZ6ciL-;%erwwP*C0$D+fIw0?NQ ze1J!K&`+?no8kj`%Fd1%<<(#$KUPG(AH9C!mufeRCa2SScFXf^bC$3dGJ83GK)KF4 zafpNALY*ICjn!*-_Xarw!@>^4__v0946(>z&9ae5^VPr5&vFV1w7k42Y;AW<6IzZi z4bQi$PiISm$Mb&@D-0cObRDtVI?2L!(5^IwL$c zH=DKV?U?npHFXXQBpQ9Jxr(gPplwy3Nqp&9|G;Y;9)eD=WxUHwZ`5=gO0H6###j@Z0>etJrUi|Ox{iy57>@d%xe?N)e z!XH1x@0oQL+g#&&jF4Wu9GYr7U5As&?4`#QfVA5;ytZ}1r!a{Lx*d0vs24ZXsv`!6 zgosQ&>{Kavngfxu@AGJ{@k=EKfUJt~b)QqKvE?-m)DXZ~JL(eyOgaobu1-U3JYg#ad4pe zoxdmKarg+ysh=v@VsSm3-=OqXaxUk3ij=ik{QEBCjOZ{ z$&oY;L*6ecdkVv<7G*kZX^7z>y)UgoSMBpC_3o#gwv}yCOLgUjdpTaW@P{*{!*P#i zEJ=bmb7Z^obB|Cu3cA}Dv`nvhT~+-#rjRifX}!;;8x_p_D->Wx%vJX}psf|vB{g>= zyvnoCyu^ev2O}*Yx>9XF*Ndq2il@`!$&jv_PRc~f09@8v!o2;o;V$N`N0UVPU&`p6 z2~wlAGGRerA)PIpG5;B>{VPy9AoubFvDt+Pl-?eZi$~nh{QH-LlQ+&fimScTm6Jb!qeoj|&~~CiB}Et zs^IW6Rrm;$;^>8S5s{X1X_m%AF7p7VoO~~_zPIO5*xRrvXG6~Fl-RV)s)E(c9;c?G zAXR6JtplrJJG<&vm0kW#=bi%>+GZcWD_j}dO0-)Xd9>QebI1W7D^I{2yP!l0i73Nr ztVppN%9H_mc8!;5)V6Wbi2;Q_8C_ZDUU^5N!Eh^KZo%DVeS#*V&@*i)S$s+f9x;%4Wq}IH7nt!KotvX<}IYjCH!sfu@u1Apd0lEGmEL_=y zfu46*!mMt%;zO;9ffaF6_m*My7Dm`+M!}bxuBD-kjyA)JcE1=4tR=`tLf(OCis5JT z!0w0r$%nazCH4*|Q;YX0b$JtT00_)cbP>oqLF(9tbd}ga`e#(K@d_P}^4a4(h>u&Z5&g|AWha{7qWibCFgl9S(o@xP@z7M}dCA zw`BrzfA?D(mnZ=!tx??ylwQPGlD2H7T6i(K zkXqhpmW@p+QUd^--kDIx+$bdy5oIUWFm4vi^z?P7G%`azvB_#t9VS~7#Don_r6T}1 zZArmN8I_b9sGlGLMtIg4Xx;2(9cH!-cD+n;>G{?aRW>P)@jT)m9BjtOZMdBHg<>eR z%ezo5X0uO48|j`6Lp+qHlSRQP&LtTrhGig!*O!LXpz8aBUmJ%pNpDb?NU7?5 z6IZ>1{~3SUnz)!+UD~K~NyV%qChFO-F2?=5?tCnLd(4?#q0qL(cTm0|x_yUv+u*`HFJ7RxxjbA5!RFLJv0kq}mjE zB6T8;K&{4(cYGgS7E*dvb?_&MPLI(Z%}qz^sL}f*&Q?=poqBr{ecY05b1jeR662DP z#ib(IKjjF3Sh?QyWW|71ZvC{?gr##V9HVw!pP5~H%Yy% z{>~QJ-sZ$;oBdiDDQr_+k%lMIV{FcPV(!bj#&Vs?0rCZY78ip%* z1%b0GZ&1J|{ocGMc8~y(2gwi15JJ?0rO5L* z6Hd;WG{IL#-V@P|3IA-QbI4Xeegs%lB!o^TV5epkbavLg&|~pMgYom|5bnI+IlejF z=fH&t@LJeH(%FK7de>(!HNkd6%+UIi!VEZkzAZXO~X2kDD z8Wg7noWpZx=f8#z#xzQN2~JN|NCU)#UWr7q7y`LvVKlHl5c-bb8Xk^1`B3LNr}bHS1@} zzL3&JXoIkU1Yv(|KE`A=$rMS@NnNW_Mq}CtvuxXVN3R+ua~k5qszU1_?w=*Qvb8_4 z@5Dx$DXX{pz!$SwQZh;FA$#HM;D28h`O5qAu#4}_dl6(%Pe=0|{WqFUL-tPhioKZT z|2~ql9BS{aijo+NUtEWk&Oe=f3}0Rif(j68BfP=4IUo?`>8o#EoPylaicp2PSSnzt zF@N2@vhjV|65br6@kzFM+7{sct(pGl*c`@L*e&3GiE8}mH8G^WdWG;vvvL3|=|D%# z|1|&rf}?|grd1J52l`=2k7b2km-ksBsUxpeY^KBQMbZ1&D-K1&qu<}1L#Q|elHZAq zQB}M0^R4Kh7|tEIfX(Zke7;7i?}D`nVKV=K_zumpGN(FVdV81+5&QqQ_ zO~KuO-)}a4KD#$1_emLI?Nh4|-@^ZwEccZ&_j@zC(K(6c8>-(#JJNKSqPu?1QkGRi zWj7};8V!P`sxd$gg?{2jJS9!j^L6Y}p8` zpAg5FO*Y^Oh1!o+E!QeyGA)nFIXksBY7wF&`sa)NVqihh_>B;6b~7io)hFLCIrqUK zFmK*`@z0nNZu(nA+};h<>B;CT0MP*$q;&lBag#I>{9e1niB_yd_EUoJF>KaAsO8hX zbVW{GeDgLVCu=*0T6=Cv8ZTxwajLvsUMr?@^cTgYfU6W04y;|etnVgwA?cZl~N*)#}Z9f!k`@ZqxJYXo5VQ^wj zv{1EtNZ2QUtnO4~L~*N~u466sf(_krrpS;uN+3j>eFxIM0K{lsZ-}RtPJs7c+pgnY zTa@W~yeQ1`u8?PbVsJ+P>Qk^%#Ha5HJEMPxnTLBfePeQouh1mKzwcjq8HqjRTbQ zN4N9s`of|e3WgnF#W{y!!>O(nRiD$#8-7_YAVexVfX>;8QY@A8E*XzrgU|h)b2jqo`}Q zNoUk|>Vg6+AKoC6#~3w%A-k&!b97VX>` z#$=oA^cmuZTR=Lu>{h^Ov~Hz&M+h(e?mwB5dL8PWAM7ZBT;ey>;+b0~RknD?Bcc-v z4c51_TE51s;~AVaZXf%k?M%pv!_ZTM1qHQ zACNsJOa0V=F`DBiB;@tJLt~W*Y$v1W{OBdRB(lh3c`_@4H>3Twpm&aOl|qR<8l+jv zGej@3ID}$toZ2b%V&E6KT@h)|T>~sj#W0_&XlBDMbEo4o5S=jhJT5blZWG)^WE*IO zHN3j8Yr*F(RMVdygspx#sOp&|klIu2wv=9D=U4G}awAXls+W#dy~rZ%h+mi+U#$6i z%{woM@|f<@^*83HCt=*ixOMWmwO3N%F{0d0o#PJqj>THSerNW=x3hS=GOE(zzGlcY z-O=XtHmuS=l?I*0XsHu(;s@`qQM)9Atl{BGy6mJ5kS#%hd+V@Ln;|%_99i=)LE= zJtY7QxIUNl}A3SbAjSAIJrUIYvXfb#|7kSajE8fl&&ZHq^NgdJItn zN}OA>HlLv+B)3){VAbZ^AoOScTvMgQ!?O;cg~gLlIK<1I6_LgoTidp*TTsR5%}^5Z z)&{hpr&m`jab3!n?7PKoBqeEH0iN#zlQhCf-X5Y4{;U|+Cj)^Fd|dV~zn_HU-uBU6 z1$>(U^4(}dre%IeJcR{)entHCr9I{8Mc1#$Un^TaSDIs^25I%Bj6cStw87UuSKDr0 zJ~xKt7qMmvK*$`*48v|m5B~rNFvp{&fB^Xto4X?8de7-#0@kQ}qV3CXI6LnRN%LQPbgDyN#^t)KOe^3Bo$DVjOr)8#$4>k6?eEp4${kp=&) z@7%w3cJ$sJEDzSm=BC*|%H@V=qm#_W?W4tqzUbeeog%}xj0UV_ zufx=N&C)OZ@}G(v!<9KpLbU}ze@Zl#Ep+_{l-XDo4HXv(z^Ut3rzfbMi)46gmI`8y z?skc6cf7L5WIyL@3=DD!&sSmtMaldL@1aI(o_MuEc~+DnIX!t`)Q%$T#Ltgtv3qw# zGPS}v=H1>gi3#eF^zXISfqxO%0=bmhJ+n`wb+P7gonsTb6{BO$Zbh>73ocOTF!Czr z+h!6m7%|6{`=B>hG?tr#yP^YkWZ=h<$tJGi!r`Baq&%Q>VO+D;%D#SLLu0)bF2C;aL^` zy;`yC4*Ga=ZWJN{)!+D{y^qbmAARt1K!rPWl>79?n=keaSJ+WQ{A530-m{?~Ykc+( zn!)QDZ?9Z0@$sJgZK^z0Y*}sos!BLlvZ>&xQ^Oeq{Zdwyv?o(ry6#y2C_IM2u+i#h zb-7NGeSi2$3TyHl^L#Am#B8ivp#{{AcV8AIjEEOwdy+KJNuzh-mcYxkqu+%^e-Wuk zDA^I`D&4~d+CRo%0_5Rr)hh~EVN!2%vz!}1%Kjbk(e0<&Jtr~0d&0%qxk(P_44<9c~Q3=A!}`j&Br0)ZTK zR6!d8bA0aqbg}a{3=ZM$VuGYzjrAwBE;^zR2C@0%h%^+lQBCq*#PZl@^IWU$G1zap z!V$n$z|{r{h7+x5d^bn2z;WHd4qz7(fI)sE;79`)SWJ#!_dZ*Z*Iz1%1K~F(%g=2g zim2cM**KJz{6`?0zY=g24a=a7EQ}QQjl0lLhyLB{_Hk(VB_Zoym+NFdC5^IUz<4zV z>N9jDxOe{3EYF047ju1w2<@Kf_-yFxc5&U>x)5*-2Tmx-ZvDYn?TJ#wb#X zA@>Rdcs|25{)gTh$!G)~{Kd+|egOsws^Op&hqjcgW=-2JgPo%=j5an-uT}pqnD1%8 zV*P8cb!7vGZySDLn|gi4LIAO*XHF7QHM- zPxvEcnF)E%eADpmoOr(7=xG46!!Zba;Q??$||0z!l@P>_@ukz&Ek@ooeS{!)rf%>A~69v@gVxO6v-xeV|aU|8DJF{ zc3c>bRC5pbF2OL&BFYU{M-CS39KFz_6c`F_bsNl_6mo{b{y*$&?BlQ!)<_$?TdXwU z+;M8;+#4bvx^;{4%#q5WyjE~XD44?reHz1S?256d0csaoLt5`jAx@YxCMNOK-~@NQ zb~(!{+h%e`457(^5teioj)8+3NtrwjKOEZHIzwCmHnId$u$-W1r*GI`dZ918iZH}r2%i+09EU|m{TQ>b-91@9MTfr9}0>kt%~lQ z`A1?+EdmPQ0@j%q6gwFK%U~==R8nHp6DT*_wq0`@@_*KW)f`oR@8ls6H%Z*FMLdlH z64+hWQvgHRrDUF^AV=v-&!E6$AVVRxn0 zV@(B`V^x-XD}_=zmqfErs|R{J|BRII&?0O6)uAUaNxkAZ^;zehF;jlVVcV{=@+d~e zkryz;nhw#HzjRv}QK7*yTS^gP!P@8v6mYdW{U&nYTd;ZW%ou@y1tLIDtI>V70(u`< z>bh#IbZ_&$-Y${y#d{xoK`jTvF|eAwcz@x}ifa8ZJ^M4|v1xrq+t{+_>-!{D!={NL zSAODe_#DBX#h(9mc=oEH5WVUoD8- z1+m36&SQ^IeZsv?5V`9eK+T4z27mA*Ub05#zU#o}jjm-g*SG?R_ zUFExo*om_RQ_mn<2%JHojzo#q}2`5K63xGLB{iHUgF+0ms zn#1t?5jYcJGCRpXOB##`od?599BiE0_vbziEFss(wbMIWu79xH$YmVx%)__hik&U! zwt2izpX@Kz+O~~%-vsvC z{Yk=?Ikhe5G4BBOjNSQ(8@^xH_?=4EEyZaA&AGs;g+EL7v#1SB96qQgqIxXkMM_4P zFr!x84)x8VbyLZ)fWu~Y{zKLI@RTCqy@?fj>tecKxk6J=wG)$%8%D zcgJh(x##CjGT#ZMqd&0x0wMsLR;l5y1Q-(+xA&K7J|G&xy*ZrO%8MYSq@v1KIXdrM z?+hUj_GHHpxyCHjD&NfZSnXUBJ2P<&2nYZqnD0}eu)2TD;72ofz&p7jKD=mz+~m~Mq5J#RqAzz_FoPKh30+mD-Cw_bqh@4`N;URh zF#mDA6)UDzX(S>cDOsXf`hiKig4sz-DUChIWoPI;F7A$Vz}0W?-T4L}pXzrz0W^*h zkGCh~9iQg^+F;u+{>=lFCDWD0xxmyKD}bO60CX-id3kxRXRB`lD_k8dc0@+^=4`Xx zC=Tlha$xie?E&pf&)pbe1q#WG0McXtCk!$1@DMvj(z$^6pyl9r9|$}R_-<)Hx&tK{ zj=FK$d}g&jk;iP@mQ}y%&9t_+VFt*Zs3FT>3{_RtBo_UYJjn={D$qEopzFSPI;Z8= zsHn|9{iIB4sk{RlgCPRZ3L%kv{W$@|U*=LJq^K!O-*HJb7M{ritg z?k5X%ZqZCtdJ2P=JHr4hvc|{93ttXU?KaCIaZ@b(wV^s$s;8r*3?_1HiSLb0ZPiC`O*n&k5xeaybKiF&S-^w5j{o&T;fr{4&y;ExYm`j>wO&o4 zQB2jlAu1>?zB(+eRLz$`Q%Gf0KAJ5TAR;^S_rQeVbyyZpX4EWu8F52=uV&U@#?PEe zS=pxKC4xve#*YqK1JPx$>V%u>IMXx?c`%|+c6);v6oJzf09%kaFPE~&Q0Qq((}>0Y zYVmIHAf0;X7z`>0gR1QzsmwZNW|R_0vlWKJQMgR_V*b9Yc)t`afq|Ck{0T1Cug4-H z8cyRdN3QiX?&;}KX|8L8tH2E29nHkX!g3k3)cU0oG%=yl;YtA3rj(G7xZ6oJmQzx) z==(;{a?wXrX4uTT=8_xm;)PBk*mJtltXpG+2DqFX+TGrG?)X4F)&1o#8<3VvI)mYp z0KXQ$q@|;)v7KW@ClehBhDQM`_4nvyS95Rvk2w%T7;C;)Xs=IK7{q!>0RWf{)<$cv}b>&*|y!=W^MWYkPfpL^&|S15|{7 z{s%U&$?XV+-F}g~FP3Z^K>4wM`Lgejkk*3`Nuhv~?f!oq*K+7`JcHjPi0dI3oX(q4 zLn$mMX^;v)2^M%S%xyb+oREv?D91p+ZUO~_)A3?$w0VCFhs6M<_To`x`zIwO)T6md z&~OTi@9hF8j5S0^VtwQB3^i&7EwVd~6gl+jVY`5Oa&oN3W{S4$@l*(eoPqmvtfwg# zTxEmmvrhq_Xiqwqv)xitGOzujO5qpHzVG*<;V%ED1t3w(oGo8y_FyC8vmdH6&|wlb z)p@zi5D?Gdb0h`KW3|%c=6dSOBpEKeuD8QLK@oJdH(q0NWknmnm!1zuLjkaVah#?H zB%PfAE;W{qpA=+&uEil4oVJmFBDSZVYVjCS0!X zB|``z#;(ROL!IN&P=S1+PQ5=Yumn#R{bU-yFnc>bhV0K(vW<&ChygS*-`vZkf}8%O z8v<|vmxmF89N$9*gf)?`(@8j}l9vImd{ON$57E7fDNeg1Hnd7J0C1=dxzRz zi(W}Q&f6W^3&E+ZMvgxwq};{pfrH`^koe)DEd$L#7DsoS7E4@bJs$4*La*`;2gQ;r zxtdKLZbd5!U-+Q6_VZ6Uz>Axf+dYckUarN1va$t9YBHLmc%scH)M03;6p z@FmAkDC~ZmhKhvbWQh0S1MOUe;gMhtr)8Agd{thO+7KWE90J^VZ*85J|LiQC3uN#{ z;spL*Wmgpt^&4!LQktbf=`KkTq*D-)ZjeSql%iwf5wcrg>*?vS($PugtZ?67I!d$7VvieE6+cbte}ww%>uZ%%-md)e^Cj;wSD&?B zEUbZx3lAHLPs)mlaR93l0D>eEh#dqd%>9OcP6W7F3#RR;hd|=Mg9bYhz~&GUv(mu# z@85l@ZvPf%TV_l679{-;|~P=mm~1EdPF5XtmEiIX_Qf zXJ@Z$vz;lA2QziVRs~8|od9}hD6tQv@bGlp9KG_~TX-I8%c7da<$bcHPIn2WU*dAX zd8|2Ra&pqD#=LJGaFum{`p!R2ek#!ZFot<~CaDAedO2_30hSgyFQ7u&rEnzsKCIlZ zu@cNE_{1Qh_=~iYKeSa4}JTP$31iatFBN!_%D&etE`u?9< ztD!;dZ#teZZV?fK7)pT`I+aHHcC*#=WBfp|w16ZiB@?R zWz7>c`2v_9j!xDI`pRw)syO2$B=N&rADHQ>bf1q3L;Ty5WgdRIMA z{|qL^$rlv#j{qEh?zo07wBUf|=6x1qsa>YkOqaF~7O5Z!s8@h=y-kk4Qw43wAmE7y zanFIN0RfPd1%R=*6ube{qHeqZ&SRaj0Z#>r!ZcMa-G4C*C?-Wm69!CiKV8 z)0?}Jy{s%t7IzlJ@e-oxrMs%TtEy^A@wY6F&3e~uoeW8T8bDz#u9xp)C?|^ya|Kn8npusIzweon?=aoVg9&?f-93D=9SH{- z3V7p-9$WnnAIf!^cK|;#zL%nr@S!j>Giw&E-)SCFqqrVZ0?RgDt}oDbJSyq|oW|kZ z_5P-J_Qp_(!uj5!~J?i^q*284p&5|hT~K)M$WXW-_>2aIr}K}N4oiBzk~ zm>MkRXf2~cOpf2}6(nH0vK7CkrpA+F8;~qmP%1zsaI3(|TN$GF{T*RKLV^RR7+$gW zzy4Zx)3RMD+i15~ZNDtB=?c(7IsGXXFjG-c@qj~ChqSt!;!_|Xn>n_K$_r3_4S|3+ zjjbenubygXXk<9;|EkBa@3?&iu4(bwEi@@3?yj~U=h#dZd2ClS9?V+An$6W(Rn~hM zPCh+8#m2+y`+1SCsG>6Z-EN}bWrS~7v1A4SZnnx_y;qcR$lba#Jpxprsh zc(^7H&Z@|pbN*!Zr%y=^4-bup)_(tn?X3cC@?4VkbF4ziY2)TE+bVhBHEICW+H}1* zFav4=C1AAp*G&(>EV$E@keGM~nA!F*;nJq_`T(KW>6GRLqQeD$0MKj4+fzhvxLUK5 z)l|7YaTo#ZnRolE6mHj}dJ2nZK9kyy5l!DK1QQe+qtDpm5IXyi+3gD0ZLp&WuE7#|nKz_P%Na$7>_W>Ta_vMw8T$9&n8G^G_ zX})p!-`#WrKsp9CHcY|yQxFIfGxKV)pK{~-uGEBL_S^`-t1Fj`; zXq5zj*F-8ZySlo-oR3X0{2K!h2_+^D1{0zD^%)+uh|9s(d*@|ev}&8lbG;5f@rlXF zns+}Lz*f%lKHnRCcKm0g2Mh_^s|%lV{$qNu(gg{S4t}s2M(fw9K3o0U>Wam+f3{uL2S(;WoaKD zu_TS~h=?vQgp5;QBv^Yi2@w4<7l_5Sh^{e*+pF~AT!#-NqM=-j1`5l|u|{m66V8b@ z8^-=5~2u(-np(-QC^q_7pv3q!gt*vSX2251jSXmz?-uP3#Xp#PA=DgQ>h79CGsn^I{bVi zBO{&m!hqb-Xm;9o2kvAgrKc+?to{DMrW1X_fM}oBU_w!B^C4tvU0@}${ z7Z&|C<8irKtOeZD`1rY7VG8O7EqTig`vo%}f2kL9H)>{kU;R9x3ck3kfO9N7T;aRI)bfkDJ!1yXM_`3bNbb`g>E@bDt#G#Q~~9|5rP zDFC;WLCna}Nxsq;rUZ^hE-*r)0uU!4gk1o$F7}ykv}a|=152kVCx<@rRfxx$mdJvc zYEzCkSrDwOUdtF&xch!k43`<<7WRZT_GIG_)thJO|WJG}tg^;BJ@v8xpu4y{3}Y^D*UQ=W$-02fZ{?Fyn^(g+rD=Igki6$V@foZMu<6~p5>4X!#|1+ExD4HtBqokcy-pS-gN1>K~Sibp_oK@vr|Kh zFSkT&)IBOD(RvA4pYnsJ_F=N>2+Hu7I3Lr0Iw zU$hPO#EYX~4>4{(I+C}HuHlae#)K;+Wnkd9#~o*{F|#gysl{i)lpCacpv(RxKeB>< zL`)|DE2+nVgxhxs?&hyZ*KM;OnelsLVqexysI- zD{52?MOZ2((}E}IAQpcJG*08~yCM2-{C4(?X0wa!3;Utd)X^>w=|S|aU)cvs*^7_N z_f=V&iIYkp+hQScP@;fX3u65W>e1#`#hmGzZ998%EXqVs4ch)|pVMppH&zU6wT7B5 zbC_o}U%q`!2zZK~Lz3hyQE7_@DKO;_75)NkkLjndD4$xT1BNQaXBSVcZ*B$*iREeS zEnB(n*K+iUm@Q~V)N@X?Fc8E|bUdD@6A}%8YRClTC=;{bD&`sr(=p+Chsj9YtJ?3= zyg$E&CKqx>O`gD~1=CmN_4Ko<{TSukZz_|qx03P9FfcWUlxtbXp=sIc zqNJAoj7DH@z?%KaRL?S~CnnAFFazS2`gH<$jYi~UWD?T)6gD$`DuYRE{ky-9_GzmX zAHrQnWjr^Y&7wpKjD>Ie6pTxU_{wxobI=bsS5m#;h3ox=BaM--!J#|S895QG$cj6g z^xd{;e+iY&;(l3Vli4;+I=HQ&w-}^+w8XOS(#U+ir7A=IMDr30U86-b!S@4wMP!qP z3O)`byiIUHum8u5j(cSLKoeZ|oXdSF0-CnGv%^b^VFeDJxdYgK`nlfu>)X2+pPdBm zgFECt9IcDas&0g8UXo>rVSWpGrQ^;Nb~?2Rcu6x>KQODe3d@~_{lIi;QEYw~!XUck z^vE9UWIp&HDn0`RC+88d6sCtZ6;4nhTV{_zOGnRk@g)QchN1ub!P$6C_oKV%X`COV zVR~-@Nu;Hvn-a%Dhfj=Kw_~c0Ir&|#4|gU z%#%_I2$>3u(|k)!WvM*S5X>T8_GM80gU#k!wj)Pcy?l$Ve@b5t9isW*O02*Z3wb5U zfl-k-2bRKPL3-+tb4~YEr5#eQDF*iu#8UA0gs-7-0R_18dVzrm?_F-OGl^Rgovq04 z?w&643lc@vnwieh5;41fQJBR%Nz(9{1scnQts0!9eclML8x`;12c0}uIu9ix(%{gQ zjdN%bc*$-S`^<{f!&yVnBKiv+5~jM>OLaAj4G2-y$iHWYCkhf9!?D>eOKz@bBM{-r z?J=uW44J#n{8Fwfr{{?D<|iPZj6a#2?)0qiLUhR6C=URlD)e zr_O@_aK4GpNSI2^8;Io|w(x2Zy!;xU&RL4_xjfh4hfNLdQOc`PaBzo_2bZXmvU^gQ zhiqfu9`l9Y8ICT38J5=>(*+QMH#(0S13WDu8u>H`{fVOZUDnjYTB`0x4E5Dz=L`Qj zk$~%u9Er?&NtL(MffxkLuAY8B*w%d+td~t&)=|V~TXKC2sb;PP-<6^{;`Rm5d2dmuTKUa#HB|c1VP@ZK2xr-@bGLe za#^`v0obOdfq_8{h052Owdn9_rw#1=J>@X`9qzItUY#-r6?D#u9c&#(0*1l0M9=Ge z703GzkpiO;rd*pIE-YX$WE+!kDM!r}i76F5Ajtl;o53B#!P*l6~FT9U{<`;MqH z>K3}%-@8aM@ZTgTg?OWU*k&JT}n(|Ju&p}J=juzHzz{$ao!zXN1WZ$7xnUzUF3hKx6nAt zkio8P^#Mqu)pugAxoOG?w29fWfS_+`)oq4~aB!LSw;Z=!0|^AJq#r8UK5f7l!Y`5_ zg{LRJNqE@H)2%(`$A4Dp+31=srir-zjcFu<1qTMxNW~ia@|vxYfRvEvHlqBN3U+;> zFfPL%hl#kTx#DaL8d%yQpN9lVI9;-i{x+#eXRGL0rBWRUSwFrT`v zHpb8__eo}+uRzt%Id?TH&pCwk>HSs9iJ0#AxEvEJaU=B1r{;m93qiZ=xLM0SifjyTtEwb7bf;m#tRUkJ-psq zc%6Pe#52$9*Ui*+I`j1%=sM`hO<=*ri5^$Wf|3Z8QC(OUb0yWW4S)%vXkZ6mMq+y9 zv97kM+UJ)SpQFkcZ1dAhf3uBQQo+vUY>|VIB-J(q2l1oO7uJ1#!=jpoHOM5TN1SdY zQYk^Op*+X}8{FYY^)s*^iTnfmgb4mn)CJO8QtUm4+Ml)= zj1V~3Y7=$Y8Iyr%SXe!AP&wY$#F6N@Spzwkm(4u!mlAO@mQ9jk=Q$3`jmFEYV-1#z zlNyRu`(?Eq-;Dc?9H~r}$>Dl6nmN)TlDWC34*RfMUIs6{z`aI0MNAde3~4W~7Ggyz zNk6L7e={S85@5=HM-*qlZ#=8=UT^DQ7)ZcVar6cLy~RWqtLynU7{VZ>gvFlO_JFz-XL`T7eXk7($+~ zASu9?I%Gg^afs3hL-(p%7IQ1oeCcceJ7Ci~XH_}ux$^+(Fje!54Q&>y`A(8lmgtfK>tjXtuq=F>& z9mh0odsozQAwYdv^nBvEeKuEASV+&zj3F2DbbGeF0q8g^8QJaCk z2e6Mu)SHnXwV?5(sx!`rnW->f03QP}fo2gQxZbG#*duXL3IS?RKBOr0diF0QYv#c< zv#Z*wR!JtcG$soBZt+QbVhrq@{xngyn5y#k)@N}Pe0Io{O_?80+nK#&;E3Lj2~zKE zaen8t(@;9SkGL}p-NbZFS=iQMZbiold&e3r33j>k z{XxrlIRvG;U2^7jz1{ld^4EzL1Z+>?NWGHCZJ$?1XQPC9?Xq+d_Clzo@m{4JNPVD{$CtT7C7YJ>6OH0uOS6$WY`B;kQk0ikx5YwZi(o``k4lT)+*EWVCwW#rx7%Wd{Nnu1Q}V*MvB4vVyD=YQsA zA`(Dz<8yDL4I;|HFa1VTKx0Laa!TYD9JBJiA2xB^lG<~^qOfR>&#d2ertaePndW#U zTFU|J-nJ=F>1M{1Mb$C!y0&48$C^YhFxz6yDuU6pOqem>|GKTn^qU{07hiNMm{Qe$ zJ&A4^cZ#kpJ%D@NU`UX(*I$)A{>vHyi*>;OX|NV@EA6+sR!iLEVjB~r&(WlbmaN>U zAE#A*aWK$ToYgkdMi85+F1y}KC#6-M zTj{+i8$NM~!Zv_1=7iiNIsqsFD&0rHdEZ}3RcG% zRyYg$WPZz>Qo$Cq~Ghb{y{FoFCZ0ZR0fJ4`;cWxH-m zQPj%b=?_oDxpx+5nZ@7i7i@|uD+NM)mnoJ$MyFw7nc-Q|W$N&c$)c+^?>v)e*QMaZ zLh>q%=sk`2-0bFRPS%5y?CO8e?y~VMIpsy`U&cJ;@g@uTgO+99m?*Zx4A!(0(+WMu zz3S&1GhZAtKRl@@u4t)UFEyImKfW&4uw<*t#N_6;XEkG{!twarZs{(5h)#c2gAwvw zMDpd|Ov%+j2V%GOuqrgep@KLyw>3c*c{S`-ue1&+8AU9#7T0ieIy{q?t6bw5+;*eq z^2@*Jt|h7s?JYlD_e{HvyDoRXe>quGe6V-7t~88je&tqMf17!*08Jax9v~0m)1mus zG)b8QJDTwJ@$P$Qe)lHh*#gy=cQX`~L6)4zWC)_CYJ5whF8On;-4rU*X;Mr|Uod8b zz2Dhy(nzYC!g&8PX3X~M#%7|0PW!9CQ8}$=6txcA=};mGZ^g^om`nY=&Gr$GWz5w@ z>_7W{pE{iQ;F032;cTY@mi%N=`o7uW<+)EOInhTwZrs}CP$Z|B8LBKl=(JgWA?~Uz zP8vMAI;^)EX2gWp?f*hUvUFE{3Qj@cnsic9cZeYcY1R($x2Uj$biGUyD!Fw65NJtu zUdW69!i%s{3Itzp(DyXE{+H+vks_tof0Vzu8_0(Le&W*oKczd4-SxepqYcwGpDa=H7P1DYnXW<)9uvqr6hkg3BJ* zQ6ASzv+&#bIbj!XG$f^H{nyDN{6ph&pLg~UB@HkU_*CsPfr*K>BNRj8epG}1uVH~d zt}z0l=)Wi!UotXw1*d{}EeC^y5}7Ms>QLmDZwI}azX9{InwTPgYkoMtPwL7C6ouXz zGU~#>{+B3y+2wHzwd7vC&&;bjzSGb&d9AX9k0a@0j;i<9j)vdPwx$Xn)A;VZWMX0> zajj9Rs1ouEen=Dj0&w!J@lsB>*cH0D-*2q$$aI@@y^AsVt)Jg`?3(NGyq2cP?Vor( zF0v7sAI>`FC=wGIxx8Kfq1m*(=a+hX?oT2gPicYDnK;4+PbC072m7MQtyk;)+k)`p zcjG|9g0|rXv#>-e)*_unRRYs=V^H<5@p+YLw}5KCAwm?Hg1fnx9Mgk&;ThDoRg^^O z7QObo!`Qj=6}pqyWPWP<3*GyCw;wQXhqd09ZNkT)%Ja0MZny-oRKXIyUKTf#7Ew99 z(KS*l$(ZoLRB`V!^Vx&=cjR-Fw-0f<2@D&q7VP>4wJA;q@>36XEODu*La!g-_wjUm zz;UpN8qI=v|ExBXb=me31v&6=kT_ou%8>*qH5`bds%n4RrG1Wf?9$e3^W&m+USj{d zOI8Rqg_xk5n26inC%5>_Lw}3AwP_g_g+^n&n=@|;VPS0F>&1r87!~g*|=z@t2!i)zbM2s93>T`NHM{D2vBw{beezA5|U=1+ocUp4aL7 zt?6Tx;f&lW*_~BJ3L0_jT?Wy7%@n&-2@5iiwuL}|d;z^91(y7*u^!;Z$c(jKng6{W zYKy6PJF>auzAyFNW}eXZ3cs_#!~z1@9L?;%ux81%*tFYP$`@KPJn}PDZBLztc@s$7 z`-qdZNf1;R*2{s^&v=n5=WzBpLAg==qlW~2ULXC}6{$YS$94yx+&&L5El>Ilb{szw zsGiKf+vk&$$LpG*ZSOfD&*~Q-X1U(YJN~UIX|WY2t#|puY1m`c6FF503EUV>Q}X%p zQHBmHozlbpx351exA&A*|5`G-AVX3*34=TP4>#|{D~+0i5ae9w5GdhZTixUKyCY|x z`&|TP1$iX7$<0^9wg24)IoJKzwch=uH626r?Y00&w{YCG`aOB(e~$Hye&&h{3=qR4sH_9S2e6~r=IwBZNq#Qt5$Bg<=(+O!s9 zSunk`eS(Z#prUahNb_$tmtWN!WJfvd%<@4x&%Zvi80Eb09HyK+I9B~y<8dg1jwnTg zP@JEjhlHU2{#u3jEjg5IzEL(k+jQt3>H}x)CouGrOFV$To7#F&wK0j!0G)U9w4B0zSA+!AP)mN6)RS*9kqTx}o{fQRY zFTzyZP5(skh<5cV&{lO`6!$X-H{pXetl_M*_c$~57eo-GwnRBUlLdNFy~bQ#?C>K0 zLXZV+d*2f#9u8_oWibPT!|+!@BGAKbP)@7DfE1}LLD62u$FD-Rk>1zK!8ti}xHK+E z<*8m4)ZB|huGa43X{4F|Y5C(L!4^VLDJ2j3{(&1zd_J?X7pJ;of`Yhc1hEtkAedPA zFF^aZ8vA<`NM|JJH>miH^!N9kj|-BT8vH;AXQ zmU%ij7Kpi}iHM2STU9=0ZwGBpNt>@>Y@Xj<6VNdWV!-zQQI@O$j|K%f9i2fgKU;dx zW^MbXedTlL=vaSjc4y_Aj(pW+l+oIC$wb1RZOvo8)0Nso*XJVjjvyC;%I$bKUAs~7 zZth42Xo5>ki+)C7VG5+&4#gqowHef+(AX4!5>8A^Y3Xr}n4^I}?^wR+tj!O?wj@1+QkEH&#L z_^Eex=Z%SjgQvwuX(1ngjPIrWa(yp)dxr9+S?T3#3<#KR*=x7m19(vL^IwQVTt;!= zlBmSJ7xW!MpGc<**?$7LQ}g>kv=XgShWA=kF&I^2@{=s9X$`k7r;kAQPSSh(zpW*2 zTFF2wNe6(DbVp29qKhs$k|~o|#jv30+5*qxw0*y}{EXagu~r0*yS^NvrBZ9B81@X$&Iqcw zUtgcmcGCJ&Nrw%b8P7`!Sup_2?#E>FA-3UP_v7m07AWc^UU#3p~h+YeQHqz@?D=Bb(g;jrO>gm3*=e! zx%r`#A?!#5)@iocnY{hVi_z|*BM@F&<6WuZ*QCh)kC3>yxD}Vv7MH(7|IiWAyT4kP z`$5r1$^rZ{Aq`E;oU?Hs*gJ8_$$yyck}*IDQGXqA7TmUKq`yDATuw#?62!XvE91>Pz|sKoYjS8-yqe#|3OY562q!}ukoRTpb8|gsmUWm$S(Q?o_#N8 z)hO}{a*|{|?9c)$brq9CTs%5x6#x>G<+Q&6+o#&!|kJBM^)8MU$iSmu{Ot| z^WjtpQs5kV2h=Sb_7*M~*Z?DfBB3gkfq|`%zs;pnN{-H|`|0T`Lg~2hF8_3V^yp-5caKI{S=L6ge8)G=L~EQjibMTk`hIi< zo|}OzvR?Ch!M&DNNv|bW0-bWbP!zN)GzdJ#m&z958yNOUJh~(1Yk=Fw`9B`ZZ(3Zs z>xkjMFKqZOyudekKbc>7-*^KU_IJoZ{ zd$_HUASE_v_?qY6;hhm*$4?})Qm7A*<0lm(EoCsMh=HV}@{wVJn+vL24P=D!Z}8zt zUp{^Q%6PUylf50z_V5^04<)2j3K}qdEH5SX=m9!=>L5BDePIX`U0@OYzYx{I9(ST< zLHR8n>WqcfGnccIQgj?4>#hxjJj zoj>*rTGNWs`j%A!#cuSi%C&yAI};!wa{-H;KGVMm9UU_=X|J2%;+b0J>R~d9qhORQbHkO$t%SY4xvY(XF8#KwopEXjjt;c#d>E% zVWE%AN|>vFxMz~_7q|Vc6n?EO46)b51*S!u2ocoy@$FE*>{hFub3f(+-rS@htVITT zJhTKfEM#PV7|Fwl0>wygsHPUgKjX--8n+^_q}U;6imC_eB27X}9xYG)=Aftuu@z!Y ztY9LkKIgap4iRIasmK%bnJwix*h{@1V@jJcAjZd95EmyC5JE$iTwa7@hAu6$smP|G zR#ctPLaI!xgY$5%)fy>>D3O`NP|Hd8#}y*(e<&Z<(ymPlrWt+O&``2oXBJ;ez(?I- zde0s@=DQ{L&igugyF7>Sw-cB&n7u~>Y2P=_$)f#dWUhpRxIn!0Akz7CGX9fBaTE7q zF*2CoHUoD+A^Rc_M`}~@Yy$sn8C$rXBdbpNMK7YaA-V=tYW;fqOCq4&6c&M2=|y83 jo@s4~H4}UHX#5}1y-pwh;RXLD5b{!9MXplDH0XZ-&4G_g literal 0 HcmV?d00001 diff --git a/src/doc/rustc/src/images/image3.png b/src/doc/rustc/src/images/image3.png new file mode 100644 index 0000000000000000000000000000000000000000..a49e14b5ed22298a41d2e7bdd4b56a396b42fb94 GIT binary patch literal 72412 zcmbTdbyQYu_ce+lprk<~At2q|ARtJ0cQ-fPq0%i4(hbtx-Q8W%-QDNndEWOMzwaC8 zJAWL9L*a(K_f>1IIpb7?bx+-~Al)|i>6>5|OR@tj4YIp`g)Xo5N{nxwsxv6Ag zm#A-lFzAz&T~YZ+in8LGMBF`wzsH`-^kR5$Pu}7`;@C^BxLU9s3NhX2Lxbmk{mJ_+ z|7#gO7AV^0g$tb=fqy?Z!Bnm^%_@DDM&|36g#OR(eCp66tbcb>68Z0U-cIT>m`{<4 z&zFNw(zP>5!58oXS^R~v2E}A#uvyY!I`Xqy6k*r2OREw&@Rh1xW%}}sSJ3F2__gNi z*T@gu;6HU_h`A7gt6LB|9?O5K^gpf0>XNwR7+venQBG8m|J@NK6t2SmtL_UIqB_++ zeAz@&wH?TwB-+Qr;|ihgUeMC*+roV_v9Np`h_1C#e30a%so%Gil$)s7aD&S4FC2d^ z`1(__It4R!B|Iv$i`P%l!q)55neR(brXkp9@PRKW(6;Seq|K!B72=YGDPhOu4A4&Q zFS>b#KG(gwpG&AXwQmK85X&GvZ=v(hu`bRplC!E*Q$X(Z-D}l9T84u9~I#ARC zoiy-gt9H$Bn4^5|gmV@S!j8Oj-em3}$I^a4y{M0B^jh4$4eK3F1{CI50)z+Qy{5w~ zmg62h87euC*tB9+S%i@q{_jf5ub;d7q7*kml^(0$KPBsrefZ?<#81A!MVC^F5Sl)* zHyr$lxwh7j0^cIAGiT9?gelChYo_y~ZJvN%s{SQzjjwQybui5pEpOpNP{wpbPnm6J z^Ay7Q0iHNoH%>tUPq-G%-VZj1N3I0!=z6*CHJsz3p?>TvvMpgsFqInG52IDjIo2Q=y|nTAA^U#|H<+ zvG$o7vM{^q@|Eg_G4@*K6J9DEHNlr6ST5$GE^n2K(Y)$dTe^i_pb;m{54Bagvb!-S z+f@>2R&p>{Y7=qU3Kfjmx?f$nRb9VQd12w~X-xTtaU8hN4{>Fo z`@H0frT6nhaXG9^<{Nw2=Oa6{Z${s}pfOCVwfPbl*yfFEs~|{c0rQTdZ8`UK{n}b4$bwqIS`9s! z4%uv&5!V?{F`BJ%+n1kUatDp2dGerPEvpHVzc- z6At;cljgYAj0tS^RNE>jxRUq2J)uXJjMjdzJ~ylK#ohYWcIFg2v_|f39Ti;fW0!A! z`i(R-WaWHN&wS>cr1>B8MjiyObSr8?bZ(lCB(}aRakMP8bAA0gC^_0--5R+m(FM)T z2g6kT5lV5~TSNl|7X(jt#12#fu4p-pTclk+?nxD0pn2F~h)-cE#hd~?HC7iLY}pD~0ikX6<$QJA{^QL1=b2GMl?kAu#xvgc(Y;+l&c8=NO^PxeT@ z8(SKj{r;d_2BwW$X^zdEOr>tq;C=9&1Fb3ZB1`Q!*3~q8)4X+ZL}mS{PAoQC@?(f& zY*MH8h*5KEFBd+1motf>27|*;&7b$R&Nuj%8u`LoIp$RB#o8-*9}}%)?J!Z9t5~X+ z1NF)H-PWxw6cz?(hYh(=ZVC`Sb$k#)a`e#XCk&!0;}St2et+Bl-l3!Z)O-v56-BJ_ zW&2U$(#Atx7g92zm5Zs=@W6UOEiBdMwVeQna2*QYgAxueR1XNx;Et{NcC zi{r3bMkT-g)DbB*YSKHlp*(HYJGQJcZDLB@}bz=t1Y6wbvt!)KO9*{%t;U1%wpOk=IqwyvI|>I6Nb^7Q6pPf;D$M3D|Dj=mO<*av z4g>g#+fz%)I~=H0lU5E3QGR6IFBG41Z(oBa^;Ya$EoVLRET=uo_opqwG5^#>GMpUSfWKcJI`_s#byjc{KYUNmt()-WiO_AzPw_Epb#Ph=C_*( zo^!J7aHsj#BYZ{tUux;kA1?G?iYT4=?mrJBLp1@s?4Qr!vy`#l4QiPWj%IWR66Fe0 z6#1m^sKZWpPZ0ib~Lg&e0+R-Y@pZwWuj)?iS|~xeYMF%j`YMPR`Tkjuw?NC zZqLaFQuY!E#%IwevZ)duve%88QqiW&)Q8QnE}qOQ2U}4gA_fKznvd3W`TS z?+4x-lW`KLnHkhvWq2wIir>(1PhGRU0T!NzsRDOZo!C6z)5$OqeRZkLPV`5OnNTX0 z5Wpi>dlgbw#7!%)Lxj9yl~h!#Eqfi8JvuLOIoWO2$+USojBf&?&vEGD9G7u~`xOsV z8uYO^l0xIlH;)$(Xva!U%H57vNHcSC654n@R*8$xT|(+EaL&ZXF|IeJI}6mB!w1zK z|K8zytl#{Ny*|#6vh9qHiRtpgcNbkVO3v6RAB?9z6FYZt|G{7hfk0GSoS^Mp9~NrQ zn2aY7lO&Be9*21yN3u19p_Z^1W2AT<8u(723N)&dbG%GP3g`O^G|Q*Vm$UknoNDJO zC;p88`r)-iKu$hu{#3Y`2rp`RqpOe9M1Yyu}N8P`9Uf@=;u|)qr3NKIc zk5QjK-m(rq++E_Pip7TBm)a8*U+#1+6hC%1`-PR5b}~2|EOZsBRmU;A(m+{Tv+m48 z-fGm@t^R%FHlJ%slAFoCtqv{Tk$ zA8}*Lry2dTnBgC#V&5D;xO&GUW(&1?59lNg-?*u#g{JbBl|q&BKNhvZrJ1UX#Q)lCijbLiyKh}2F7c%VdO{lYm5)P zPpE2Y^KBT3PWvkPyn4&7ew4ArC2pOfp&!}%#GfzcVIxVTnDCby4#y2G-gdM6X0j9FKQORsYAQyRIR&<5s>?Tlb*W_A{>biHG3K=pxKCjAwo zk+|O6d3*!+EjQ2Yv3p-E?bRP*4Ea&wkdu&emh&|=ZNp$zsEdV zf-|1zI=Kx@{}mnW)2dAXKp`jjl-lloXJ;ofGgG>0At?bf<#Zz;G=SPp+4;@RNHV)^ z^CxEJ=s~qA*?L9l@j(v0c!n$l)S+GGJ>#*=@SW>l$Op=ehPYmENCYI8uuGathG&?` zr;T#x^z@~Mkv+`VNJ|?HgKbymWKJrcOqNuPMuTa3Tb5BY2SW)0u;ZnAaCP>s@iREq zh&Vif=jV2shhqWN!XdwI(4OdTCh;p(C8VX1?(grx+GGp(IiRq2KBKaea^QqNo8u#w zj#9gcbhBpiodQMljuF`Fn!1|f!D-uE)z5U(rAtei=GAme-wLZ1WLE$F<;#=J^7jvB zT1?dn^KZ#7Fw!a04fhkq!e+@Gjwzg1E_Z;|&^k1)db+*vcWWOptu()NXH>O74@q%G z{$5Z(6%i4^ZokW9z|CEQ%DRnmKPDTP0OCk5l1)k)khuL(le)b zE-VFVgTD6pv!{2k*sPX4;27j87E;g*4P}=UY19v0;-+Pvsa3g!H$TpGSDH;rST7|@ z=>$}kEtPGcSS|$%XUWRc*_lk3GFMfxd}KRjRcdRKMulNjQZl!&C@qaAZMIbY6kb0(3vPh?&CD0!rGXMNo>>b4c6Ou5(m#4dREYiJ^GI&P(X*>E>1pr)?Q z29N@f!crX;g(@tT<1y4;o#_T`ekG$nsVSHDJa^$fYPjQphC3%B%Y|)f;%T@#UHklXclC2^m)_Te7h$k<;^0$LQ-bt+)z*HsVANeox{%a2zH8M#b>=B3zxz zlj6zi>{zzn!R>w&j_XRDalFd0EBG_G^TS=EA{Ag}3z?Ge;08|?S7(}kw@=2udUB3? zwx)O<@+D+3yXr;!%le+|8IBi!PTwN056s%S(Yu#TzFGR0n%z%-BWnApg+5eW1KA8V zLBD#=h=9RmMhfr$m%P#M1<7|TlR>UCCg=jELNlOnWs{Pf0r`F;h7K`-oP zgEV^|dGCz8ULdA2=&wY0Hd}7{mbyXzI5L_PY>7gf`Uu&2>OeiCU-}3@?S3(V!9GksE+Ie2Wdjo zqxP5JzS7gM@WE?K<0-@b`<%BZF&jz^hC5gry8Q#l4g=e=5wtFK^o?O~Fa7fA*ve7oa^}T7i!CB<0_(cpNqeqpDHl{L zQp)C8wI;bV8_{h=j#|DEyt}4Ml(oI#-~vkE#!Q=cG^3UedvWTaaNHA`W30x|?X}kE z9}`?2mkifZAJ%LwQVteK+!hZ6#nB_-#xkwFKyEPQ=EKrzb-Z4#dh7gdDaxs1AjmMJ zksHbWRNPQ-kBY`K(mpS<4dxxVsa1^$x~mT6FJ2iz`in_d^R2z|w&l>j{x}~HFA`qX zpH7Q3N96Wi(yrMO=cbtB)kyZ9|57i9*5uwp(lTHobDx^HTy(+y!OXppVx(E zSx?}J$63oW?0NrBRSp86{DVj1vEga`T4ph4Jh|e}=tsC;xp=p9VzOCr#rM;{eJ@+$ zzeP3oEoUVX>-L6A(PCceo0Y&4{`qO+*7m#Aox`@uZMN~-p=POHac+CbZNdH_TSp%- z4w+5R4UEfY8n%{o*{kSu(7K&baNmX&FLfGos)>JUD&4%kp`+0VY8rmlDJR6`V;^+(-}%>s`~0Ma zFR|gaLwez7+Uv$N6JoFz;&(YvYVqKL`C#$*juNQmRz7uI25aGn0RP6`1r%7h$z{Lt z*kTNUsRA`NXJWM{4*td6Xe%n6?)d)co5N~q{hjm9_m4e12PW5c2Bu1d->Madk7rrM zZmvV{2JW3LlBK><-nh_bx>8a^oe|J{^1)ZKSnG-JuMI`8yk=@e^15E%%W`t9Ior5{ zRw=!pO)gYQia@?JU$FPDoJaW`>Y4WC?V=iM2G~E0cA^{8lOw_I&&uMCSV~47*KU|e z!s0K2H!7^Bd71JQqGdxrv$=l$SsTQXI*v0C>Ym|B*;m7Hw(`po43p}?9Yt7Div=NH zsea3;RD?QFjN`36(U0c=&D7H6n;3%`2%TF(=8PalVuJe;LJ~<~Awm+x4#OW7=w5Sj zsv+a?4qx?GN2CqDOg#$VB)2D>-eGo<*dT8$+s0%=&L zxrvglC5a6WRm7Q2I8%{Ar|xxU=VBJBSAEs`P7C~uG1I;KDpxsrQFnJfQ@d+rdvOD) z3I{h_XwuppnrG_Z*y0t_V*Y!Fs$jQD=*oOW!7SN#xUns8T92a3zy7M*+jRd}YvA2B z_yc#Xn;~O+DEexdYEfL=0VOT#v{$51k-kBRb3t8{{^l-PvA;)^+s2-v(|e^cSF<-( zY&t!@NgK)fO>b?R@r}3zn4oW1v#RMy`CW6^a!Y4#crVf2FE`4hY7!5~#TiSwlxwwL=dQ_cTM`B_*UH zjOm$iGL=7dCkT1{-Sm;Cf!FL4?AMiyPm4QKf5<^p(8QF0F!Rq4coUl37;z+Lza<+g z{&6$`;yK^8)Si>4I_ej;yggJBu>2t9uiAJimqZWFA?-<6D?HwPJSDbSNuKWd=4y3!_ z>h^5wh2BDOg=^?;v>PV(1L+t81J;EpoF>wnO~2@_G--fbUxf@6i-f#IvsS@O*`4mW z)|wweTHrS@dH2x>Asx0Wrl=QY^19N~v2jcg7$X|3?(s#K$~l`H4G$1qe@`zk$6efH z;YG-+o%-s7cQ!A+NatxU>@B_y@?W`-dh%1u$p}ob4h@Az3t~OoJkPR96k|Ui#1mMp3&q9UX|~rTy98 z!%ZrNm2Q^hrK87|Pm*Nt;`f&99E}?*u{V<$=pkkdEA`9Z$p-o<$mb?cTw0HHtyIC1 z)Yzk^@pHjR7x|ORFao4*-D9*%Itz(k)x(j0^j`BZrP`Ed;pm& z8>JONA2baX5TctdI72ov$8p$fF5zEDIivAJwj2uNeETNZsV#kN`$TVvn}Xf{jG=LCoG0!!v`b^+3X{_+=FM{?*Wjz%%& zb3T$eTjyD3-jB8se|@E(yAsAOI3K}|n2`nY4-5)|sKFo~);7P-G|>NTQ6C*1An@jn z&`$*wt%3W5a;x=<@{xd==tGhu#D&6xnj>^=t9@h#se?4D%wubL;ya~EhD z$n0N-I!ZJCmB@Zpu3=EaV<#tqy6@IDvZmN{{P_Ak?JkA-MCOh%s3C(k+ z&@WGmg*l&iT7B}nDlF$cgGHM*Q}THZQnq|xzcld9yFj-^xZX58^Rt`Mg%4@0EN|YA zGtxnQ@T431p*XpH~nJg%EAZn@f{X6lhcI=jM6?0S{%lyWj>guHj zm;J!e`kl14sa__{+DTqLcIcfF{nbP%=VeO5I0BN_Hs-=x)>v6gMEJv@EGwD~q$+Yw#!LR^W`bb&6#rLDNrdjr~x$iONlerzX=YJBK}Lh zhGW6CkT~mlEgpUv7aJ^29qP!8DH>Bk`cUNC`JmXf7+=#7#pSnL!x5{m9g6`F2TlzK ziG>9_eGN~Ywzu(GZ}}a7(UaD{MF8tJh9A0b?As*~og4msDO4QIc|c&w(}3}N??49Y z^ZwFdX3n@E1_jga5I^{jSWA@0V;vGZw_5r72(JR-_x3UJ}5GPC2-> zu1=jl0B(62d1OTbqqnwFmHg=#D{lg~igcPhvZ>bngXT5Qn`WEjs5852j>CqUXzGK$ zo04x(4Sh8>jN}(TI+Nto`5C&0H4MhCCY8)9kHtUeM|-?dvFXJMJ>SwS=$hE{n3up4iZy$V=z!p zDybY@cadFgmP24*D0ea&yV5r;cLE#$_a_e5$T^xqjO1`SQX19VTTy2zM;@F@_}HSa zrB}!C>h@*M?Y}4THizNLJwMZLpdZpm-ZK~wQ$+Wf-asWbxg`19mzT(L6u%M!XU)rsPx7W{*piX^$@>M8J%ce+~Fwj}go6Q=U| z&MwU2LLrLPzb7x!w@-ET)RRP4<;Q;DS^O>~?e3U^GZ|hPmq$6?xVdF68O<%N9F->e zOAeOokbGg#6?uFki$uOi8aW#Nqu9)Ng(S25pF3O1@HiU;NLYiPC_BeY#^kQQKYi$Q zkygh04X!hM#f^iNq3vn@xGHV?qJ%1N55^iZvA!CtEzO#GHkoFj&*P6nv@9&{w8D}~ zgu4D>-?EJoj7m#Kr2*O7!kHjox*HT#yTVHou!8<`dzUJUk} z&}J-jG`k3%v==K9>U@vx>@{6q*^%ar%QAa`7;I}ss0)e68*Br)M^R#L9cL*c-7pn@ zgL_dXkKjg;gQIb2f~}!ml7nL=@>init`B1GsC1bkPqoFIyZ;5}lVM*j&&_2IS{B}h z9Szmb-sNI_@h8a%#B<7HXX*3d1i(IIq;HUo>KheJub*C z-}-yj0YksUrEW^&U@x4h3uCRTUJb!3RH?Cq^TcmHqnM+d)|>G-X0z=^BDpjq1e+uw z^{voEv6>U1J%L-m-qA^h_7f#W9gFNsChIFo)8S>YeH#uZJg! zL{(i#NNLowG(%x$GX}~l5ZYa<+b8pgcjDvs*_?iQb%!iRTRA2zR6UW||G8mwT+n_W zAvd_2TY1`RvKZQ2I%*upwX3j{a)I!s*ZE2tJqvH~0Hjdy8yz%!M2~oI2B@s0EM#~g z04N2&{8P`GC{n@w9$v1L;6Tj5tfPp(ObEkqn-Em<2L(gy_3FTdIGd!D2-C!cW(DP*1bIXiEWqZJVzDxPI_?AN9 z#BKWLKZe2E)lt3DcPkN>C>$3DSND{TAqsu7x;1;AExvw?UsO=V*Hjgp8rAyM=hq@- zvCcZBP(FPP<6+&B9dIl5Oul=bR_Tcd3ftE(Rxx`zN-@7ei$g83m@3|Vj`?Ca+vI*d z%c;kVE%9X~S@m^WO5g*^=vuQy{^!{z4$Z!dXb)yipj`IsLp+HXu0aQuXMy&n=kJ{u zR1!bDb5s8GSpg1fR&4X&E6UvdSEKI*^G`Uz%hYK~R%LRfwr-Vh@hJbA7#+~MrSHNc z{$w~nGuO#8*G26=$xUv{BI#$5fq%DU?YHeX?BY4>$T`kMT>QPF`0C-};r@H6{!RZT zgWb05WTN^XJ|T2{{qKrq>UJD!x^xRFs4)BA6BeA&3jQP(#aLTRM zy6)arg@vIAhv89A(RtpV2y@u)Mm_yl4Yz-|wFl)j9aVfLXs-4$nsOsisFzZU2+R-#n;p#5q5oPBnsgo=vPEC_{mt2^ zX=NgZeIT$tV{2`<#u{C(R(mHu@L|iRlEJ$?WZWEV*|>LPkZ^G&noh!B@(2C>tGzo_ z=$ax2O7N>9hFR})8k{*Xl66c4Gs#EV@E>d4ywD$iW%B7>Rte0`qrx28i6{ps7j|`Z z!Q$iN*Et;Y%~hJIG<$I0T^-TJ1aEYAcl({Jb&qF?eE9kECnlE@U3`2z3bCb`$!`vO zii_RJ3>W(~3@G3Y$9(?|wXnE|#qDBOWNSG1+o!pi*Pt&dO|9CpqqFmc)!r1f%jLdE zJcEIiqhk(O7f_K{Pw*WXk$wpcO|DT_p%S0S?HaR{?263F%Gwu0-T&*8Ku=E(T@nTw z+SlP^ZgRCMs>8#>^MiR-r5WIo|A2-YtFlm&OycN_qt~0MG{f-l@R%r2`9Oz!hRNf` zMy* z?@f98_{6tSm~%@?Nmc)55wm|oKtkdhL#-xTrZ4iF*{lnU^%PO>@%~1>NIkwkmR2n| zM<@h)p~l(^omw@HM{J6R^{Mld2|$9t*bO1?sTu#8x7Pg={&Y~}@R|C?BC?0(_3@1d zzIo8;$F_u~Qw1U$ebIxDJxh?g%LBcu!^MxB4#A+-kS!j6+Ok?j%)}Jses^hoxWHbd z*(iFn)Od4Pf8-w$l4Z9uW~i4GORF`sKU+RqVe(;RWo2f5e!SV!vxUu0nar5J9n-2mwzJ2l}f$4M}_fEQcdh9OeWPT|4EQ_d=f&8&F z8dlcUE8w>Tg@qZ7M+nNTDpjeuT`!40fA#?@B$FY8WH=DldN#}}rL2tE9fr?}TW>gs zjZUN9v(X=$r%}(M@JD_H#2qmS34_i0H<$D6FRH58PzkIM!}IOYfdtmDjt;>p^Vy%( z)vQn&^$wl$^9lJ%#bu61n&?!@EdU4#HkVbM9JNyJSFLPpbZ5&9z_UwjHbi+I&gGEt zxQzQU8XLJmlt1ql_UEg}%02yqTb^C8!^KUv@E~ZW3RDEZ;Gkg<`D9Qz9QL0_77!fV zF+CldCgAt-YkoH}GBWyjw3dcyjn$_}QYjK19z1Z0zyrqBbq0Pj2hElnm77h|+&?@} zciHbwkOR1yX>zaMDc3)+eNJHu`JhbzLoY%GN_aBq21UegHy-2k5F z1A(MK?)AEYTie^A9UUEcZnuf#;^p%dLjdxC8qdk)rQv!{csA^EZzL(Z^C_|I=0NN0 zEEXpxXR`aHid>wDi3u3#-~Ii8GK2n-%F4>$zM73LD{E`e-$k?1jfRt*oSoA~jklMZ zd1+{964`BG>6Z9Fxi}(QA|YKdAA}nb0l{~G`qtOSI!)KB2p>OwJifRvxISJfP%dpV zU5IJx-@9GM=nkT7`UdbxCVz6GSSuw~%Of6u=cX&tA%@v>@7#s^1X^~{{M_7FHAG7^ zn!?A+3p&N)cE>%x`(`qW$Ng5i*~49K?df=>-EhnEw3n1hrOX>(73gVF+O{dZtbHy; z97Y3^e>Yg-XIzvT=J$ix5LRJJXal!Smc#J@zjs>`0FJ};s*NnBUzygW7*BRo7Dh00RQh9@sLI5<%=%cXOfE78o76y6HQ4 zSMAyd94hrqVRda2_Kljuq$zG~0K&eBhya}&`TMu1p`l^v^xFNdED*!J5uZgQB$x|x za&j0Q57jpZ6NEulI1Qns1&9WgwWG0Y!M}&$QjiQjN_KH}KmF$*@rcV(nR<>LwoUyD z>1#zWbF_!aVPJv8yod zA})>yQWsbXJP-*a;&CnBZ$7YjK5|*iS7li))+s_vTb$O$b7hEH*ksNe;)8KHV?YJa z=Kk6mM1)G2et=0$P;oKsyLazE?QQesRgKAbc7^$D1i<1F5WI2%ons-&Lku-G8}I^t z$OZsjC;liPd~a#ti`wtKYiepzud^dp!USKiv9nv>p6|R|Jl^1&8?{k*Y*Cz&0BPQ4+zo*F0&ks`UR#vPg#l+2xyCpyne^-MWNs@X}!VPKe2sAyZS9}dG znOPlI6F#+ye;oThD)492vq#Pjdo^^587SfVBnC`Gzy%2j36&dNn3FgiNr;KP0WE_r zF`c9+U-?R@SWr@@iOOg+L=3X#^|ccyO$&zMaUYU5tWJR>S7kA8_*)uuH`tUfMJQ=H z`#_p*d~LUe!a*xg{ZW$`=(e!3w>Q`tN=oGQ#QQ2krcuY_;NWnB+zh1`|D55xyy&@r*_`%zcN3h_VFsv zCc*wZm^$P|k; zB|wIq1tj9fu-85B|2X$7gqFk3#w!qWKC; z{o#;5`WF^bPySKR>x&{s#9;{rXCdJdGG7%Uk-!o^Rc*OwYTrl(Ap2{%;UIWVBo%On zU>w%NvDng4VRbp(IWTDa9AhU!L!bW3gEg3=Iucm`(<6ZyT30!N9_<9v(_Idpw*b z+3NkXVcpfs9%5i&O-9pU@ZFAISj<(>C+%%-_taRg<;vwC7ZnvHvRVHuHyS=&bX<-P zWp}@=n7n8!`(I)9_;`23Xt}_quAy;rIS;|2(}sfe0-ad9BiRx-lh`LCMmAUYa@S)<$u!{fDZmh_G+{C#_r^r}(!9(H#= zC|%zZ#oHz)VfAvjdf2{#$64v$vh>My*^K|pjS1RgqaEe25WmOrHx1g6JSW+!xWLd* zmcfG_k>Y94q{6~d8{`h!Akh8J7mn<>bFcBy0E+YU$831e^MNRg2b@db+ov5m^kbGX@0Dx~X^7isWBm=v_m-Wt9#0lq~We zp{OT;{hvC$KYuA3DdBYqzvv%ihO*d!`5?TC*`Oiqds&X8)@xDa#uw-Ck`5FOp|o=e zN&iY(&^H_u;vXfCTZxl9n)PQiOaCe5k5H^B0p-^(v8H^ne*|*I)A}dU#75Jk#sofQ zzMA9yA0_&rkk|j83Kdfe21x9Gq%)yP@`v!WH6s+)M?9IIUPrZMPakM6CENm=v*Ah{ z6%{TAkaVY~ncqBUSvYto#p0grmbz(ka~P|)jc>E0@8~LH_H~Y z+ee;aFc&=T7@T+U98gmh(sWi^t{bS@kHdB9^BzM>um7xf(QqEJ|!P z`uID?i?y0{Yd=vJS#?Bq4i6W93u)~h{XYdS^}v=IIG{aZO(FhgN)_3@{BO|q>tE(O zc32<7v*op@!1xul%;8#ptOYMi-FRT(w*23ut{w>k!+RqmBcPgsJ~x15%3-%{C8hHU z4o(gr+)G>>JUmH0KE7nFbW(38y0-TAJjFt7+6uD&3?L|4$Q$pw?Fv@5kl^o^)b}eX z{jA0-C?fF0h7iuEMhTg}lCj>={*$KW=H{TsHx00#0w85C_NIADAet8^Cp!1nCrl<| z-asnCqTnTNv92xw;;ammY(P#9Dd1?@UBOtjq3qVHuYlhC3sU6u&CLnO(`twikjDU- zjgNW%Sro9cIQ8xgW-cAjLg?h`y0*5~4!G^9gzL}>aAW{`f5Lfr7FI0w1#61oi)_=WB{h$Z5ddJ#+miayeKaB6g>Xr9ca2yC2FH zAhvdg3$ya9g_FW1>OAZ_7cQ{KAHU64S%^HVNtb`R^LLEN-YS}{GFTTkTd=?OkurZn+ z+_zvA$9?OQ@<9e%L7`M+ekpwEF<%YA2Yt1hGo^aZEE_l*x=797xPZ;H1^n{zaIya< z41#jCWzsDDGh+a8)7jqc1@@@v>CrW4MIxCi9we>wjEvbT3!E&`=;!(0WD^0Q3rODw zbo4Hu{NvcH3DeTjeEP&>W#2Jo}UL9@#^}7Z37!i*v?wKN{3Ba|rwPDg}f1h;@ zOdl!L6Q5(i`uP)kHy4pchiyzRM4O1k> z0}jZr>@$zY8zaE~+d)e!AXKnG&zdH$gyHihH$UD6dBLH)M@JU|`-1O&{!ZIma3GPL zaX7)#tCcTDGRb%(^#xe?ffU}9PXfMiUHQ)%X@8+M5@@9NA3ofG2q-PD_k^&>q59Bh z)csw3wgNExLqiQmQom%ouXTr!0^$hhlMRq@fRwo|kI5!_0Fw_ey;^{Vpt}`_cN8ES zn{Ib0-Q3)O0~3;GshS@))wjh`s3-=uUPMGhXR*#6uwG^HX`mv2^~3~71ra@cIJH{U z--82-xn`>seiErz8yzWYFKj z>ZLZ&ZyX}j4pw(C`TcVK|4pB+CbvrhR}e7afjD}i<Q5J#_cGI=2Sr=5W*Mg&~M zVV*lgu;{;8EJTYn8O4bK}#>UC1 zXJph}KFou_S7|!=8W|b1IirK_eqce|@Zp?afz^ots5z9(9Rx%^(EGqWQsbJEb+1t5 z(Ke^^{of6NB7D#L@NgpGXNm`jW>=^L>a zs!zbW0{ekhr+%9M^pAop;quooGJoHZxzGk>-fW%-9iG|3UVXD5E>7@6ezi9G!INUA z=-8sI_^YL$ppX!tk(yv9Q_W|~vQrux8vKKUsj5oA3WzEyqJR1FCEG%^aLT-q3=tN( zxZxBY2;^+7W)B#S9KnG10K~c~G=csGHj`|wlUOu`!DZA!YwM4Ri3zvi@x2Q-5E=z4 z<-So-s9-vId3nzQ(m6vZaihxVME8Fa;H#^v;&<-u?h?G5?CdLm+v@9Q&W^8ER4{>` zI2}|@j~Fw3KMAN*%TZ5t`mcU5uewHl?YgnoxhdLJRUBT9 z_yq(`zi_NYk=~w+CX0!3RnW+q65UC;ZUG*tL1-t0TM;b&8fhOi2r5^09tTC&WRlc21cgR zQ~?|t0gwlP4g!MT>iBOfpbXX5`<<>Sw)++hgP{LnR;A>0e-NJbb>I#?jX#<$gtCtWxV z50~@VLc$=m0Y4YEK&qffrJMxpfOs6;i$cX`9j^jBl}49~m%)*0%dSV;)K$(S-2Y)0{PsNsgL{XG>7S871m22xR>3~-cRF*mwxnCbDZ(cqe1*q#%u+}bD zhtHxF!3__!;6FPDDop*rn&;k1^Jy-9kp^{H2)&)=*1FeM9jxGC5Losb63u%}pY~Tk zA26N&znZ>ZBun=B`5-ue<1Ji5h*&z#l0Sybv-p^VYXy+SV*DE}wuSvWf_x5}(&^8LSZ(Nv& z#RXAC)pF&7dzO7;KkIaA$je{qU>9jomn(jz?w^P<*ML_a+!Oi{lVupFx|h`{Mqrxm zpGtsH>%{lhitX$Un%&0Rw#Hxe(wPVE%s+m3z=(%&i;?{(et3)V98?%Yo>nJ&gLDfLOzGvp^gN_F1XQWOD}B#ixb3F6shQc2 zJGm#El=-Db*EK+(`T2iVQK?m#w=OTI{QC74(DAA42K?;(eRHtiK9!ZsnwpwGi!i#J z8$)dlrwjuMSW;U0%t~PQGSbe*XTWsgdE7aOgo5d=HDZB^h@sU2piZo)sMv7ahG6lC z{9GLh2nYb4UR7S0sM&5a!Rwy{3kb6qTEwDDno>~5%FCn`Z<-)UMD`|oT_2khAQNw7 z*W5TVzh6DOGQde|o1eea!T9?2)tBeL9v3tQ$uNKI=2RZs38^H4kKGRtCqyo^QZ3_% zcPX;K0D|hwY4}jjOdf;~;SC z%H3VZzmRl=;?8HcqNuKYd2IgYX{zbf?2*rNeE!St)ioH;VYx5!-+_2w2)_OF-ybGy zAAF#{&-57^%Su(XnKu7YSTB~vct1bE+Ug4uLJl-Yj6UK&xgu4--(Z1f)w+5A1ykj)`t5pDQ|R1Y%c|Be+;|ba}(_zNXI$UzeM`Vk*e%>6~Ok%ZvT(R{J9xzHHdFKS4TL zwq#PD>rrD)k`{QW1Qdus65;8PU6j$#2oWdANKa4ivCtBZrHPWND#M;%p9(Y^u`5;G!~D+X?anqOfc6vz?@j`3IbE*_+}nD{Z_j)ngv0=6 z0-3|@q!WYdVnVLrw2u;{UYQzjN^DSH{7Mp83OqlO9WD0@G@xXAHf%rvxYprdPJnD9 zLn=+$YJaBGPa_y^b&z#gA7taGn3&bQJu|CC;J||4#Fy>`d+jYO6ZECSr=P+ibwmYL zm_}gihi<4AtQeMZFTn-FKAZGFUOz$P=xX;i6nHfbyw|I*uTKYA;sV7iEM5<{?vIlY zaZOD;5Qcz?F57B`sS?CQMtT9Eo5V3$-C+B#f9}$gWjdSs<^Q4XJ;1qs`@V6dXi#aI zk%TlvMj;X@BAY0qR91*kc2a0)*pfXml99bN6hd~9QQ0Fad;MQ$zj0spbzS%Kf9~VB zpW}F*>*&6Z>-zml-|y#hp6~PheytPob|1ywrsO^fN*EDA1ddjT4nGbHdxS9*eaQL< z-`7znFweitHa-IoeDKCd$J{w~Jl=20m)ShyC_4h4nV4;`Jay})_(;(U_T{rjb5>l+ z3W#ab<&?eJ<9FMYg^8giUX=^|`>NHe&!ZK0oM_NoKUk3n3JlZc$geuZAANmg>BeExi+_a8s(zTMg8>FHUF!4%{&)CAYTp2xKQ#ITRo;AU}{L-xYx_jj16K4C)QRID~N zHMJYB6z*$C+=dZFK19T?yj(8i7q~q*5T!^P4q1gz5>7+VMe3pwgwClBOAc9rQUWaZ zo2sgZhp%-X078%V`|f#|b9t~uVOf)&i`TIT{e{^Hs$gAuo*%>kD|&rDK76G)fgJFb zQ!_Hi_zZH!xX#4HmLlsapLgr7h^$NT3%QR&i$4x>z@wEA53WXdKZ8 zrlzKT1Gd`*>aNn+D=(_6rw8M;I|x3kQM5!9R~P5)$Uyw6xFqlO_xI1~hCWo% z(vk&}i|UOJz79XlS8f-;^Y8r)iJ*ft&bpv|2jKCht!+DaQS3qMs=UJSx-;0GVDcU? z3f@ad;BmXul5ckqUC$XUEi8@_Ksn(Gd$_sTz+|jlyA~vGS!Jb}&?7J$vy(&EEBdrCOn3!GIfXs)k9?e@EPL+L%g83;G+cja9jeT4@M#%FM zh1_c22A=X5(F*ggx*E|=%W5XY>2M-JBB9yC`ekki-8-|mV<5o!pj)?=17K*3nDM}{ z)!F$LJmxg0BrQliM6ds>*D@@=xoogCF93bAPe@252)sz)B6MpXKYsjBRmCYP8q5_M zxAb~?s@;Xqk!Y5@VZfp<-x{2c7mQp16zYDk0$>_#+ii=jYBb$HvAw{;D~Vot^#o*|Qf( z65bpz8ylsirG2QVcmu=@MV!LDT9MLE?l@MLT#PrWHhVzDguf|R6zGIJ;4>{RFDIk= z>C>m1f1yzygYrT}MdcQDNloN&g)t;&ZDDnu-r=#1B@)Q7{gmI6C$6A>pwi*mw~zKF zz~W~Be3UgbWZ+%|goKGHQK3hJGz7nl`8>1FT-~(#KtOBXl2T}Y6fGO0|CX59uXf97 zs+=3ZsG!7VTKupLJbaB4|Dk7M+Qh<=H2!Nw_tM3SSI0VK#iu(cJFO0bJRx!gRHSt+ zCnzC(0PVKyrab3P^kUel5jFKo?7>22-+5hT?w5#R`YFY?Q|8`$=FAy^oQS*k?;8Ld z#6fq#+`Q`hyZbf|$rhLO;XHrkioB5#Hx36vo9^>JvU~Sk%>VpXJ|B4CLKBs2BrEF$RmKZb#DTL>!*=xS`(Eese4Lo*Ig|SN(HGeNT#OlLH6<69-AQ4;bj*jnC{lt|8H;V0VJ*|GRfp#sDuCB3Vw zQ_Yi)QR(}5-M3UxI6^!w<<%<#RQ6v#TZ3^3WFAT*2PHOZW0kOTza7K}_wL`H8PHq0 zmzv6_v{bJVqhd_CMN?BVWFDtcL&Er%5rJ&iCr{{(U=vv8OE1_s!=xoq%k=t_&8o@%IY|Xjj#*Wz5ORfq*CKOVtcoiH{+o z0l*3)RpR5~ekbzjBY*D9oW%o>grEIL(Nmf1wT|)c69~lH3qjGI*^i*@`+(}681DODhyD)s4Ms9 zOsY^XiSBD=W(GULCoD`6pk&_IM$&!c^{r<&8EBV2xzYMbtJal$Zmqr>H)j=;aT-K2 zF29+1f)2AKAeMfynY?zOvmaFzkE}e3W+N|jvhPQK|2@=pz`teKAMg@;(oXXWG^#ugxiQS)Tu^}M_z*H52bhk`}fZ}FIM zN;t>zhr7_tYgSgZcHfg~jG6^ilugUyNPB`;UEkPfLU|V>3&c?ol~a%eu?WqZ;|&vj zGh-a>+w-_MPYl!7PcF_9NAgg!AdcLpV(~5u6HTcpDQu`P_&}NFt+T<#Rrp$^z}nBG zU0e;rwSIk^G6ANcugNJBe1$}k!nvQK&`o&)3c+8FcStGgO%uvW0eA}M`s!7yIzB~6 zDJ<{F%fVj-M!}ZF=iGinP_~$(2#N@_yFGS@7Z2?L!@)z2(+2=tujr@V^;ny)_YN5v z(%l#HT3RgFedEQy`u4X=Q}~|j$Z()xJwa<|T<`PoZvXqvxX=f8)1)q46V20@7mcYg zQc7$%2Oumungip=sjF8HV5DE!FWMqxuIn2ZXmqvk2x4+%&!2|`U|0Tll_-X>HdSXY zJA3=@IKiQF!J!33753kIAn+|AhTt!-cN+SlUsMChn(0qWo*sNvJ&j$_{CyVX7eu*{ z=)JZh?hEaUlfsLOQ$?n3ck=VaLb~N}avIjfD&WTvoE&Q~oh7`Wpx{g1bzUWxYjxRr zgsT1wwt*a5FJC^yn69j%QhUKJ*dXqKyNCuPLErlO%kc`()iNKk_eJF;l`p(-Q@?3) zfeaP~)C$;P>7Rd{gdHCP1&1uwfQpVzl9TBsM#l1`#VHAIAD{TRID%Y%4>Amuj8LMO zO8)79?~67Q;~u^*3^isHn!36V^YTQyySuS;*QmU|2AUoL+ZZk1lRN^ku4&!W zP|JJacE_lY_Pp!KB{P$O2hK0Y><{c8z`G0NfL9e~1UY@m&@)74XVU`{L?}rh*uNta zGY5o)4Z*_EFbb@KLJK6t#LEG6QIM!&ZGkg=@h+bWnj(nKKKLk#mthen52d&2qnQ?) z8+;{(bj&l_+WZ&Zt_pcr%$q;59P*7~fa0LDo>0&CHTY(pFGWq3u5L zuHC9{VDJWrXCVKjHCTs|Zd9Y+@AKBaGE_7Zcdt@3Aj}KIPf#Sj?(j4Ow7yrb@EN`y zPRtvaPH0}XGow;qYpkZFHB)8vgUWX!N+X7_RcqF;@7i^IPUaZtYD8`g-sj!8%OZJ} zsr3D9TaM)~rvc{pQ)h*{r&}GPPCsVssoSwKUk@V{l)(X2+=m}M?W=o^0y7oNSf2Xw zsZCV_VW#sK^QfCZdj#Ti{kY2kcM`y*R^j~wKr8A4N+TK+3zmvZSF#SEO-2A z${b0?Vatn>M^wqDHf@lj2bc)Ja09n`Fj#gNik zyZfTw5O2v69@-!Q7Dyau<>a>6?M@gD(E{!CDH{RgjU1LYB2n$UETf_ep?#t*XiO@d ze<`<*c{mlab_(w5e}e(o6;Wypt$#ZEs5V}3Lh5y+aro)iwQ4eQ59qZ{kgtYc+m8b`xpaqdn9EB^lRiSD zZPDTmUH=-|47t@dcc^Uc05$N+mGRP!kA0cH?w(|y`7GO`-+vH)_BQoNiw%+)j5c@Z z3^Qewbk;UBgsU_tn%FEv*L)4)SS|0$RKI@Zok>l_FFvI` zu}#G4qOsy)-d8VHO}i1P7hE2V_Ld`IZPD|l2dKY0erD~F>ZfC+lTLq)7QjY)c@|`8 zkcM5gw!Wh23 zCJ7}rOiS)X69ejaW;YJ~k038aJ@Z5^s%zKf=TJ@vyyD_wjU*7&x|lz>xw$(~k&Nn` zA&mMC;4=C`$A~B&&8>MuE>ILwb>n>&8!eBGbI3-%e0jRZ@w&Cs24_~Z z^nhAyD7DkOX19{{(M`XKy`N%w*K=(q>95{w;p^vl6FqN=EA5y3GIS|ED?oPRSG!&3 z_20|LK+m>%+qP|J3c=D-17B*OoEu93NQya53~Fm4a{#D)xyaLjcg@+qv{9c|?v0HRLdsYydirZozviFZTw$f@VDAc&s_Ny$KGltveKps=ev(WaG1}yj@&eKf1c^ph?6ZL{Dm_jbWIa8mREED=O{-+9xQu zLXq7#Cz=iXEPnlB3P3px-xn9B-%AJ?KLptGrYFp$?K_`5&_Dp?bQ?Al8$3E9qpkgP z(lIMWJpF{Tvp8h!z#utMQvQ?uARB91l9frcTLe#X`^X)ZAPV_MJPSAKR?1u1-~v37`_Xoz%269PVxy zUnPSzl$4I@>$7d$x)s#BPjGO{mF=LrfL8>7Z!4JVgX$YYKj_|$uCA5!E;+gpO8Ume zccG!gf%)m>lEW2mPApODy$h1J6U03~gB}8dFxl7Gu4m=>>|n zA+N?j*)Rj`hNxBNDtHdM@jzn3!*8M~urXT1o+d(E(1S#F(3q@OjhAfGNCbZnUBux3 zE*ct+mvM#lRt^(53DonsBIgkNOyc5z0z-SRhe~`WnkD=`oNC+s_v@6GxKX#jX4%z6 zK}1!A$A%s;7|P^>X3YW@E?l_L7ZU(DE~!w{F@bg`W7iVpw-)nU9F;=VUFcL%dod4gdcA0!F0+f`VNj?OwlocL#ll zS*w5=D{V*^6^a6cFF?-#ElKYW7}(bYSc%N>n4o<9{8I6>!0@K`!DP^hXB!h8z2eTX zlE~xtpLV7~V2p!KY8{J+beOo)ub+E%?xY0T22HynadteCSUd!PGzx$Y@8-4i?VUm_h2Re9;@zQ9t`P$M*KC>o6f$b=9W6!ZDnd;9h4V^v`ikK{Suynj!9@ZiCMf&Rot?p5oH0n8FH2T<3cmMjCT-;{G8h~d>C zZYqrUYwj$ESIcY`GtlV7#Ji6l9{?G?2EZs}2(#e_%+ZH$j1bALnK&`Z5$Na2m5+F6 zshOF?K44b$yMuTdRYaGUE6%~Kq!GDn(y(F5l{=tgTgwV_Uq2POmAll?POMZHN_lCm zn&;+;DGF7nIm=QMrORl^*4mnbmpA#%SRsV>u#=$1n*_wG@r2AwLMt&pQ|-dZ&Fu-0 zDZ?Zf8@vuhY{(J94xnv{!ILf6%JK@sj!RPe15}ljYrfms*x2knm;D&48Os*{5?~`G zRn@vdFI|V~76`lEN-U19cb@6mhEwas3wbVjXsr?_EdYn(xyHrCg+u!DHQ&w$-Lq*O z?U7M4ygf-woB&392%!Nb8vzTG#NA63qgj2?MUt`nV6BQ95L%*62NkXyuLkW%dcW8_ zBeW^rKpsHfqX-jbKIT*ap5fPvI#LrgpJtXFvgs$q7Dt!C#ptD(Q*QWyy3R9~3i`Y# zDFHW!48;G9YgoT*&HS8pX{~AFiyaaYtoX=dE=fB?Opw`u!(=X#uVZ|DLvj zSIOSm@3q}myFy<$X2m-*i?p)9ICqNhA!TV0KTraSC@%iYLU|jnS5;hw)WL?A&z%T{ z0L-lnf{n8_Z)&t*eG5-Z^9Bx{($J!&si}JI+=~JRXixh-83Fm7)`M~nr=CnQ7$hh`^wAQ;;)E}*;lM3n+`D5)7%%z4AM z8$W1)Fzn{#HG~5R514vlGJ+3v6`q;KD-=_Zq#58{pon0c1<*DjT=xv+?g3OBDHqE& z?mw4Z3>6$b$bFbdt$fBU;=~z6Bq)gdh>B_>j!!TTFf9n4*^i$&6r7OhUC~7lbHIIA zkT(`*dRo#KpkX2IDV#Q!JBnS8F5Fz3l*37yK8jI8RJml=o%f32yn4@x6UF@>#W$x}nF0V1W8P5kaP)=P&YJlJ z2F49N_^P6MuN0gf`h>*@7TN&}FxNe{C+_%ba%aq)E3HRc1U0`&Pm4pFd0T$j&1J9( z32}09c_5HBJ@*0nyr#nA*{HmUb2|tpANHI2rk8NepDdeNm>wctL2Q=j5SQVCDVi$b z_xMO~L}1YI!bbvP7(C`15b)#Y&xb&^uzra$Z)pF3o4>a=(Fs20xQmx|0WEWZ_|KPm z?)`*ICv;E#Y=0s~$6H`R8TK}T4}(3i3oGWNH>sJ{<+a{WBR=-^mA-K!yXq)Kk|k(L z0N1dM9(7uJ0JK%8>o>dX-b?U1H&1u*^~;?4DOasNu-0m)+U(7~S`pm2w)sQHV#VIzET0I0;Qa)@7W1BIWW+Ws3rcgk-y&!Vi~Lb4-ooh% zi51yU=iIw@4~mcTI3fV7WtoU#8=*0thP@%^!1-IYGk8mY{*s3dteqGdqOBBuZkYq| ziWh_-=*TFD^af(Ml`bwW_*3*kSI*>B%!Y%SIcQSPjXnXQL-s?50#U3e54bEk0zA3t zi+vs)JS-3rJQ*`N! z^~q(!X!^H-V2nA)|M0IVwldGxZtKlDW5bE5yD0*EuctB&DseTqxaOYsj&5mpef%>& z)@VBK{MqqX7RJBE;2Q$HwCpNdk5t_~269uP>Hj#Td$@R7d`>wp z!rE*yg2yS5BEHFNG`wPt&EcXRZhV#ECu(pT|-M6^bs#VDJA+s3!$VL2U}#E zX?>iZNq_l3IKA)B*!5%dq)d@tH*Wr-qEky$)}*(*9K50-LrI60M|~k$qe+pmGDOz9 zcyqSof>O#~pHlOpxcLF^m zT&BAO1sghYy;f7iKF^WKNf}O` z^A|7PhQ3G2o#s4Pjktz>2eD`EvCyHVL1y%aNO|_n{whj7H1^11naB zPim^={Y%c9d*_nSl~+SmeINKRBtp{1j|0tLczmiwc)*55I;&7)vZ~xhDZiqzg~`FZ*}cja3wjSpcwM@^NYDI zu`oA9_#vb_0PCgjyn7d9!T$v_xuQ3R%%klJkQ#wyLdVH(P)cJq3)B>RU?&6{j^M8F z5OjlyycqbyOjFU~aZIzIEE#sdia>^<|;Evy<51{r74ev$W)cVuR>7Fh@fQ z1Lg6VvuAyRg35s21PkoQ-R8|_Bk-@(Kzwy-|Kj=HV~5hM_zG?yi32qh_Qz(9Q1c98zkrAwIO2pxnWui4uC z_Zb+r)y?z%O5rCI*S>@-uJ4K$Z>ESmuce$&9kOl1(4giJ3_mcA%n6x$V3@}^cncJ8 zO-;>}mdvC#V^tqMbYQe2T2gQe@J|N8Xo22osHzS#CX}L$HKC3lycVL{Dlk0uyz2DfvZJUfg47jHk%0@ zseKJyn8WFqnIHK1ZNZ55o{Z}`0N>zjEv>FzzjNo#&1+TyV{ZNhSQs+4`$0hrh=BMF zsI)-;{1{K)YNSIFm9)iC7pDeL>9=5Yh{6ir5ScH{&mNJUM&QKKhUEU)$Kgk{?oxdY zQ*Wn^Ja2xyp))C@f-;3Vbsh&TjxOKrY_B%xm%p3u_Krs4FQI0}deBAb^etU$0o`qJVa>th$;Dc#F0y!lKH|eH9lK6?J;U zsDplQmi>Q|yw5P~Wi*N3KQ}W2dHhLe386K5jRm5ggD*%73V9D@_XoTJvw%qysiuc{`vY+9zo?%MQ|&yiX1 zS&XtGKUV^)Pn11BXZbq6%ArB+(P3YiD1=2^gZcnD{PeI_l$4YZKU)}BS!5NV0$Qq+VkRkdo&17=(^1d%ClNG&J z*D7p>nY9N{+N0hxi&%T2@1n}kt^|q6y>H(o zU(_5Mx$=9t?2BO%7T3cDAUhs+y_p1bBiFmpGlKPlEMNbH#8P>N-uR zV~8w)?v2LZv^m`vmws451J5D*9h8sACF3%%*WkL@afso0YFJQDxa~#d#yU2hN zXI3snCIXroR_Xf2_D_Pp>{j)vvK~EoQ|mEPL@l*^K;vj``rS(^8wa9?J$YN}`dQ#c z!m)4+MU=3h#3}{tVUCbfd!dsfbfnEQ&=D~{vv{<66KBWp@FU1=(OwW@eactQfIsK~ zgaA+%!9V&Q%29xJt*T*h@c%#a z*w^(2eph+MSvOBcK?>0#|4&zY@~k#KPLXWA_{F`Y;^tPjRq%jb1mq4EhVF^|?N%#>u0i9@#YPK9MNCW##x2Hk!hbO1)N1@V?!PJ5 zgD3iyCdb5W?O*bw;<0sj;E#Y36)Fw>lLa)Q>o#BO=l^gqeVR|?CPdl@%|ZuFlElEo zmOf%_=Q}YWy7N}@!!Bf4LB$F*?U;`M)FeoUsepRmFfxUp{s!%;9Bh96dhfLOc?EkXCi!J=i6(Q<41WILiS`H#^)V0! zqPBw_kYL&C>*?BH)Ii1@boh)wW09!UIJnJnxJMkPPaw3vmX^^tgR9*pg=2*l}SHoUh5 zSQBd3%>Ww;GHB4FZHrrPgvQVVdL>M~1Un81Nosu=8|x13(5JlX7C`ptfpZI+e>L(3 z_P88`>#jX}*4{*0)bAAO_|Nu$jQ;5f!l|QKz?35-JAl?nQGA923LKpMt3fN`on-VW z9+}vT+3pvXds!wXMyT5`ZQUZ8Ux_6#oJxd_YPP{*g*dx0=puhm$yny`f27EtCyD-B zf;?rRP4Rzk9G{IJo)^&2)Fg&Rq)A35B$Vrap=l@p@k1OBDJjM6?RpNhtwTReBM$%1 zkKJaYRLMJ8;Jrf+ISz^v+R|cVmu&A9C*cL?1)w{mTAFfMBA<@}+AS#aM?n%`J!~W? z0fu2tu|5`dc84JpV?S~v1bp*A>(aj?b}3TQ(=UR%1jIl7Zkt|;Q4Kqs^=%11nsGLQ zeTw))Z#o`OG{2HU)|(!_eJw4m&aN&ZYy^ao-m(vq5t@e5 zy6h_&R9aj9&G6p+@=iAzMd*cyyA?`3$_~iLdT{8WW?&jsfJ`2b-=r>Q3pv%Cv}xG) zZ~ZF0{NttTvl70~XN@R5-7g)F7r(B1H2sxc#;aGasy0o{nc?+eY}SX&-rCyQhwJl{ z11l^L^Ig0yHJJs~xZDYt0#YcTajr%XOJ9BbCeYMZG8e`mD5cULk+s3;f;k@=djgAs zi_UCdJ#59HC^ov{4~_lUbBTq!#8s*O9@9+hkTB`a3A{w6t$!xMt(U(+Vi*Ze0uP%$ zmjQe;_CJrp85Px_uOXey;_RA6e~!9x9#YD{r%%84^t=bzo$l%v@xy`_C6)BkE=zNI z2-ZOMpm~EWx=3IRx(-8vpnK?{MM30YZB8mW=opOZBC3}zbsh1`Dgl5&umh~d5-63> zLz5~+0qMhg_=cbtDgl>|P#kK;Pwi_#oq%K`g`Gc$25l#P@UNGN$y#Q3g}i_2eVUz2b}U#BnDmYNRb3%A8(z_4-k z>eWw+L%qExb#>b)TTlF8qQpl9tORNAC-EIa^?g;<*QQiY;=}FTyI1?Gi@EuJ!fn1X zmRR_;X$cJAH1x+nNx(;iWKp>TMl)H;OizD{=9|#$Lql3fti;3T_LBo+NZ4)EX-q4B z3iqE@zWSS7CZhSo@+ScS9%Rwch8&CN0BO5#yNg5FMSgr|OKaRPg%YsK)wS^ zgp4sbmjwj{slptWp8l64c`H6^!9?A^R%6!Rje_$_&Ui=>LZLqAzUs~Ex-#hTnsN= z$`~+iU-*p2a}b3@qyn(3b@$np(`|4F!9yY#EaW_YgX9u|4fOA)H@*EO z9y}y6Ff0j~HNQm`@O!ibaFI2%Z8+t9`wwq`eZ|gz3L+v$iVF{Fuc`WBU`hmj$jsEp z+YA2|K$`R$^DG#VRn*k#zuN;jAs8@JMFh!%rKS4F)U&EoMkb~o-vth~ss5z}_#S!C zMlEdBUqpI)7}P~9kQM+<{7_c*4V(Omjn0kF*c87#0ld1M5cp#N@%Hsy@u~B2yV8OH z;2N-fm{f93v$9G3jQN?-qir;ZWCgI3Zs3WD3NCJlk7&Y z@`!y{Qw&HbzU~(nA74#}qXXPx-VnQx<=Yc-eHATj!Si_$6H*J&JB*>wP)?M*C*rA> z3&e7UhL1?AIb_e}SRHSnn+CH%Lw|q*!U^%fkPifnL2PvNZ7efL^@!|HiF@-=rvl(c zv6-1$WxatX$i%2D>lhfQ0HsbG1vn&$6%Yq2=+?N_>u-d-xV&Pw?A(%0Ql-$eehfXr z6r*xiE~Zwf3pxrS!iVuAAt7NJ4ph;LVe9ee)&oS9k_sH+E7-KF6^hNThk^Wwcz1XIMdBEG!MNEZB-UI8~#j5!}OmTxy??hU!`TP#5m)r&3{iG{8>>?u>wn1e1LJ{2$Fwhpu}S8NKQ<08g4 z?;jh{G4TxYNY5W3d*>^#_0z zkn{x^-;RKanK!J96!q=V&Tv2yjRedFW3{Jv>5!a#=1ib%I|R1?F+$?M#m^RamtBOU zL>b=2zX6bCaZ5TRB>4}CKe01NP0p}E*Z41N|M=3Eyzvz7myX|lw41M3aj_v~bu;_M zyDO9r^sl|UR{2R;hn2eL?1QyDIi+U#Pw9P>?{YH!*nV)`CQIvc$!kq6yktC~>|-fg zpKZZ?Yt<_D`<3Q(6N@!Uwa0`LD>!<_#U?&ygorpL$jxfnZ2d%Ad&pt(3dA)e{HbQ3 z?#zrD3ZMXr-N}T7-V%fxV zosay7a=_{!y>#5T;Ixf$WSM59a==n>vb0ZfSE}|gpXB2{$&x6vyKBOgO}Q)fxb0PP z2s%h-mY2Ry^ixN+*0btP@wEaCqB0{6ZK1x7FPT9Yt&?-iGerL1*I{(fG; z7qb~L!MmL=W6GR2DK@gF>_50fUldi54Om(ChKd^>&Z zP-)mfuKD8|Mrj~>A+PO-Pde@mO<>uQyMxT%pm&%AD-FT=C?F}J-lPRHOsY{$qhfi5N=#tVMhx^k`cdVfT(pSi4GlGW1lF^Nz+*uTsWxc0 z(%wwJ>hn4;?a11Q(?8_NT|<#FCAxZ_VyU0c&Ce50c`6zMcqvV2*m2CE45PrqTuz(= zz$%YM)d-9XtXh)Aw6RpXaKrA0m+%d+>!uk)a7FdDWbsnq%(9nA57X7#HqojWCxo`7X0{Vc9NA;$YLiyR8@R0OtTgM6h&f_R;eiBcs~4 zBYiVR9&@Zt(zt)OY@BIXDc8s^49HpD@X*`0=`d# z=`K-x%|5%g$c)>U?K7pbtmDxX>Q33mXA1}AX8=TSC38GrJ`;}&GERUBd;os{g1!Nj zKKE5d*XG)_ov@E%cqB=P_(X{;bW?U9pAEncqKb|;o94PM;SadsU;_0mA0}Q0SOfC`cBXriTw7lC(z1 z4C|*C_Gk{p#c7P;)Bygih@zmCc_k>{tczy{4wFbUd46(tFp=V*vLC?R%CJk6BAyE1 zK2%u1>Jx<4SEuDZju=;~n{f(a$Zdpk_#@B@f{ueZ!=`AsvAy4(1y?38R0c1^}Vj}s=I7|g@JOfh)7L*c{PM1U3XQy$87rzDe0{h=cO2_Z_ zJb7~8W4BfN!u^lxoRbUvb@9uau}kYaw{5Vo*z|2+fc%(WxHi(1>-00StdQvC3Nr|7 z_tRe=ntgycjO1bh$zcP(O}A5KBnvm;pBaR6foIqzC8D&LfV@H6CY8lV_?PA?hgSClnoGB4YU$~ z*}fLJgkkUZ#hlgFmcvUx3x&s2i|j-~^kbO7!~72PZY&dj_2oD2v}jn#Y)QO|=+|Hm zzSLhIj|!lA=FF;M^b#b+2cM?1yW6Uxco}SE6!iQTSN$>TkAs&XfF5v^v(Lvd15p=) z;+X*>LHZ`lE2sU2K;V0!Q^!un;aeuDzY@3ytOghuqhn%_^j3wwaKJafo!>U}K}dT* zNQCJEKFezyPC&AJe0>SaH{&JShR~{ck>AfB9)$iDp5+@q))?1SNa3KDK}(=7Hofz5O&#srneE-(kEO)FZ1!CWR(!(pqU_6=VK#Qyv8ky&W{1v^xQH=K zg@zc#LR(U4<#(ZipG9U+5E9SiA9r&62ut7ng-B!^W zXY2E;ps+5f1*3?7R>&W27W(~{|`tb8sV4 zY!Fo;wG=vAfIWAoI82#Co`rM_*!nS`nQZwgNM+Dd_IbwXOGB5ou-sR;&yg>*O|Z@cp|ON%uY+v&OQyvK<_k z&-&?5$*8ZOuz5s2J4yCx^C>bM0w71&K?>~u#sOnJ16A(O&6(H$aJ@914GRj2&k{d; zSSz&p!v~Duw-E_I>J(}YvdqP?%*k+Yg)lQ<(-&{$y7n4h>*hL zk9GF%hYFdbFU?CbgJ1_Ex_aF@5+`dFexcXnOc#IlwVriAL`b5b_26f^PlC?=9J1m# zOtKQAQ6L^djR-n3sbPJgdqN*QvCbeNxC2rF*ebmJ{bg`Eb`6h;(TggURt;BFea=|? zWyfc`z2AX_=>k?FEk<^Nr((O{Km`u-{PbLtbvx-Bk4Z5scBw9M9&;)UJK_CPVa3tR z6@_!uV>W8MTcvHz+xrR|L~8RLD0fxK8|yR~y)Kv70G9ovg2Jx-`yUc!5jnBI!6=B+ zR(B#2%{YBX@+06F-Z%kaaSL;rWB~Y1E0>%~i>v@Fj51oDEQ|J+Q<=p6(}gtnZg2vd zw{GQ!FNe5bh$Rh}BOWjcJ&ucqK|xwx4ZKG+IoEF&W8>mFkt`353&L_)Xze}QZu*m}h{LcsY&EId=kFAmNZ4nEKsKpTKimQ!twpY7s?ZLWAmn7+!y5G{uQ z8KlFpiHjFD&Pi5IdHpfDd}I5by5BR-Xnez9#9B6vVzIYASNl$Jo;00SYW{F+_d~(j z^)D(9D-BQ*#@)o^9)yXo|q=CcHPGDLP zBokxc49Lwbkk~k1HZw=+AA;TN0RR!rpvkuWHj7b|FU}Y`AX@KF8K#8Q5Q$Fkbz}@osQYPp!da}Biidz z!?v&0DXR4HO|lhkXT*EoT)$r`D4NMN_kwrym?c{@SMqKiam_)~nRzN|((#jD-)8vf zrQcRN`Mt_on?SoUF2XXjD8S}N=TC`xJczDL7En-rJ7iTdb}Hj5f7JI2H4I7av6&Be zhveDMnMo$^DbQeEm>KKhWjj$Mf%~q`LlL6x9~>O4DcTzq(S=T?+U#a|zgV?tnNmjit;zv%jJU6&7dVmKWch{T8~9kqW+Snn>UUWGx% zZBD)WoO*!EBvm6NqZ*a`HL0}1C;1&h+y8hR_{)1f=x>lrrBW#Lt~k4k+nMIwJ0TZ=n2`z* z5~5S^$a3nZ4smP{yc`!@6x7*mC+#cNxSqApqQMazXNcd(V8eUhM0Gp4Vd2nK{iqmW zv<7Zd3Qoh7*sLgzuAoFAW#r2>>$--^WjN9C_dAM_4?k6Tb%S!`GX3G}8?{3pK(3xT zAgJ!2#H&YDPcKbyAti1l9zQ^swHcg&>x=1*eAFT`s@Z!d))t zCNcCpZ!R2gQ6!g;Kyi$&>=L9;_5;XgK7|@bve#fQLEa^(v)##hsTWqRxpT}Sp^rLT z$pKRars#s+D`MM-)E%1)ZeLDlU7hCkBZXUd@U;SjSa{=X=m4fSJs5f9BL8pPfo{;0@Oh5m|U9c)^Hl)@_0NwF< z0|U3Hs2>N9G~&aLPMUu$9dB6q#D;dSo-`Xk(QmD|8V3C7534(!;++Boz-<{5j52)7{y)!l9V=?)p`e zH^o+4RRo0W*5i~N>GZq(gmRA`(m+sAYBlqbWWYI0z$L0Hjcq zN<19oe$Ql%XLvyJbPIrV2vS)$Ff)I|Jc!g6d$H_%nzG;z{1Kd-r)v>@a2F zW>zMs=Sp$tc=>;W^#2d1ePMYn8X@A|LtMcY9GdtlbKW2r_Lre@Z=mP#`Z2eV;SbpjPX&x$BmOu^lR5`a z)aug+0IRW@6Rc(9=)Qd1JV|Upldc0Tb|z4@r3t;Icf`+m{l$9mX^QYF#T4ArNZNW> zX>pekx!y!(ALUKVVgP?UL2*KDK_pWc1wITcEG+c3=4I(FhUt<>2;9f;0PQM%2f0%Z zo9#((@Sf-6)(qzg9fKgBO_p;eUR>0Aa%TZ3bTnZ6@U0)7K9gs=4{84qzsFR(TH!bv zm;?wfj}V@sAZXVxQI6#z!S%ZcUCa;FHbN2CauHdDYn}D^ZT&_!XC_HWwGJ& z?T+^b^%bg0?WyU&p~DqlZ_#6qX4+cfT5~hRhOupdfME;^ z3=VFJr@=pmow{LeS)58dc%Hpr#lbk$p=^n`Xd1v=faCm-sOUj7Wm!qfCw-(&e$3>_qj`|9 zilTq}aa;;`7b3#~E?m8Ze&hzY0SX|qFJLT?0zw3Uv;M6AlP5b^rD9ZY6J#}T7Q2C@ zEaD`K$K8#E%*ewFXHCtnLO!Ocj9Ph^4CHiZDgJxA2&OBYF zCr_JKs=cqR-3Yu5rrBLhbt;;E85b)dx)@w=ycF8ePnfGd6v z)|i;{{F!weDE>xY(qf*q!}!89v^^^Vg%IO;I9`)_BkC;DNGIhV4&W9G;7<67>Y?>6 z)89OR-dG|l4#OG@)fF!CHk{a9Bs?9}33myRL>nklgCe9nG-gtZa7&u=^fzj_?S@syH}NPXMOGmt3udl&y#3}P0Jqda~)oEb!2I{zfxHzaC=u} zV4Mcc1FP`*mtr~E^C7h+8OZNLx-!W$1*i9CIt~T#AZuoj3x;KS1`H5x2%_5?LNIcC zLTlkxoA?m|0W>nu3a#tC<%`brv;`4nkZT%p`c-h7%S5-NX4oR~UkH{4Y&s3(vP=b9 z!cLN^`t?*J$)Cuf0napzX}eSA(*(=f?@;XiAa1s=MgqY9Fc3EF_99nC;~vSU0E&ng z4N`SN66>e)I!Vzc;))Sa@rF2mu~n=P*g-nDsTTrpMUayDv#sF1Mq(FW0_=^bnK~l@ zG?c0cm&K-e_wJn)uQGyM$a92g4d*NA$x!|PLQ^b4KNx_m2@sqBIOxqTz*cG1jM<&U z@A&s@+oyfex{dyypc<7N9!2yj&_IB>CI>QVxN4$+9u?w7U`5&_>uuDQe;8+h722%c zxTeQP5SfGKH)krX+|@gEES^Z4A?Q2?UYOi1`ZO8A5w8#>0~GTvhb;7Xn#O7t@)&N& z8^dJ|unjlaOMF@=0)Fd?sGxAuFmjvEa{)4Jm(ahFd~2YyLAj=T$7iW+Fg)0Ka($}} zkbm4b5|RGojtaABH0zmQ)wzTNfK!PoZD^^t7Bab>0l0aP1gn_L}u-&c?oRm1?AY>tz z?4k>6H?m95%#6jFCpREs()xX1o6)s7jw^uqkO#rn`{flE?hHz3;zLDxf7YVlIH(Rt z8Do(n2oX!nX=6|t=*~DWb$B4y5jFS4*{rHwad$?I;J`ov!jdP3orX%;4P4H@{iGAJ z8KBc8*KWZPOF{clI|^!O?=wymVJJ~g}&7P5E%u`qx{BtQX@a6?=dEL&q!5NRC5A0hFO zn6w&sDgz|Zf&LM91tZ-l=o*+k@r=mDFo^Yg50agjhW-KU8EF0|!N9|JSgfzX`Vh?r zj%)&%WU=0 zwOuZrQyR2#f{B`qt$(lK1>K*8KS4!9XA`EoQxmJ`_pgNOqLNKXOEdR1X|wL82&r!z zDY?Y$W4%*JQ{G!meBJF|or1^T_1tsXmndXJP7LzvTULqw20Do;^{Tf0aY85KjHOLn zlHG0Y?iP3mNbLX;%y=qv&YfelQ7Xcd>8JgyPV&Qy>TNlB%YTDGB8t#_2kKTU9~+|2 z6{@VPOl0|0^J%QK(0>58fNNc8(a7+*3)~h=(U{DU#_`-R;{J>f`e(35wK61x*yVr! zQe(fh>W|MSxuO59ez2!*4@dnBBlrF=Ii6U4?tNhb+O6T%j7cv~edgciD|;q*x96jm zdex`@`t$i;X{hM>9ci6)e2vEZjOx3Vy7$y{n%cea|I}%U{{oAYk(_{0J!AP;IosNL z-OJVEqJR9&h%aPjpke233@_8PvP)d??omWGz1%4qADO7&^kyy}4p)Ye4LX{CClbta zGMH~tesO+bPxri7%sJXn1GGW_n~4iZ`e{HP_V2IcF4qC{(1C46>%wobj8_%$XzE+>)@k8lEeIiYaHY|`!lR&x0cvw@pYfSo9D6Bw~llKyro{@a5Qv9 zPFF>hFRu^BjWM~`A6)(9FumM@cZ`HH;K(Fit!lGQb>K4S_50ciM8(C$AFxUkHq%)S z>_PvBWA-7;lk|Ra@9=yk60*r1k0cEXaay>22{a|HWY=w5LQ#Zoj~3_!5&_T(#g7I; zG6${YkKSIAXH3kSS3HHYLrrzKVHZe2H1KY`gy#@^sE*t28 zI2WlXH* z6A@vACIIs;W*cVUS#r8_zeq3!%b$6uy10dKKYC(ZWuOnkH!&XKZI%rnvh^5#7kt1! zV7lc*OlWET@RwH}knJC{McG@dpuS?>h~Dp78v$DazFV`LW#}cqIz5G zNPrmbO@Nix(Em~C#ol}(bH)(Nhg&28g5Vn`j&A4sZ=x*fex~VZ02}~>aOrt8^nHq; zBy11V)j&szr;m*N4~Y{#8yUYZEv*F~K(4_<7u(5NHo*wd&hIV_y6N>4O-GT9YtuM zj8Kv6k`xlj%B-ZaLlRl-A!Maw?-5c-c9IdMie7}Eu z&+T02T%GbBuh;YSd_Erc$9>?o>)`<)3ITM0oikDKxbbvO7Y0u{iY`sN47O8)RSt$-(*a0%L7fXk?H3?axLo0Oel- z1Fb#8+86{B!W%~4O!QwA;5fVC)kAh66vCv_ij{Cc*dki>Yz*6M#{0MSr4OyfN`e=2 zsLdSw5pq#8s+lwb+bcn{JOQy!3Z7)N_!f%D8#o9n6*4e}8cGWWfPlDb)R{-{T;t`D z_xBiWOm9|ok5P#YkP&Bi7Cb~&RdZWg9)1|%-e-~YBHg!E z@BcTFGQkiBlOlb>A|Wk6bMu*gb->8kAXfr=B#zWUZP%p8p~?`Fx8=KP-gee^N&{gt zhZ;9I3OPlokA8bN=Sjb2#8|DTt4kwxN3V-MOqx*8fe}s2Vrzk7T8ivDfF^OmajtKU zYR$TJl9*@%mLVV#`br!Nhfxw;#TI0w;#dpZfD{kNAw_9~Oq2M{UR7Rgn4po78e(|4 zxMB?*%SdPm9&-w@Y6LrE9APO${ey8EwvbntH3{+J9FpDd1{=LWK&8plPH!rTm@I@wuI$Oi)TYo{rz(T861dNcj}J^*;klY$ZAZ zk_vm)gDwxj%{9|}YV;Z@)3qNyECDJ6i@eqyVe-DBLSlIVlB%#})PuF+&&CW!cp583 zv%&-hI|xJNF*&(Pqhala0Zxg-^2d+2p+*KUR!}4>C)YYbP*5;^2{#y}H4zCxU-K`K z3BU&%XH31_Xj56*a1B|-#F%hrh~Ie3G8G<8%V}?txE;KN4LfFt#VE2#f)@ zja>g01CdSG@fu@yOw7qH1w<%nK)ouulX-!E!S^rt7ZF`2Yp$QzKy{!Y^d5#rXtsjJ zTKZ0`B&Bj1-!v94gL;mbMx|R@8hcs(M?uO>EL#q!}C_vs~eb}mYV9}=f_=o;oLbz zB_&Cmq-dqv37ERO$%Q00!Vw`9?w1LI)?p}y0oaWCL;0L z2lWXG+P{iqGhHz7V9WAEhfjkEU&pj5Q#+yW9Joa|fe65eI8pdWe>RxA^L0C^s1+Ii zM-YnxHRDMZ|7*qurWpiy!qZNr?W7l#X|GQVciz55WwR`3Z2OA{elP~^ySR8WK49p| z$s|IOzmq0@;OwNJd-4RPioz942oPieO(RLC9fcIkF;J-P-n%z8QKO&|Xb9kxrGNsQ z;(Kk-gT;+9!IKfC%y&HLL^^9+y9Yy%))5GmnF(i$6fPdD10Chtuk?PsuNo`hYpq8c z+hjkcojE&cWcu~(K}FaiReihv*=A7A1{00SVnGX&RkN}BMuEIc@M^AFC_wHr*B zZ-`wc5eIj#uH&))xWs^#MV9f@&fG-l$?Hi%G=}!yh!{d%9+m5Pq@AQADSD7jtBlrf z_}_9qVDv&*dmFe^*KFKKP$46`I$C0Y1bz#M6CsXsvp^SOstrIH^aJm)65~3Y7bi^) z^%vsa0rw%s!T+FLJg$GOEJ_8TpFrWli+)uC-r7%_licPGpkZcY6$S!5^zi{-| zKt0(S87BayHZ954FyphONNFS{;vY^u;^j|Z_sb_vAIMG~6YQhGE zjPRZ$SS>Ga5pj+9D`VxkRVuG<;t=t-CT^8LJRlL=ZHrAYun-4i9t0+YOawGW@JRwj z(S7dYojK%oK1Xq`wEP zbTZ@>+k9``&yw>`Py=sw-ba7MTtEwGAvL@gm?1%#dGmsWU7v_xA)@Bh2|Y6WCLx3vP&MbM|(K%1enQvnMFJcX}+p4q9x?EXtl>cy%=b5dX z5nYdK7g3$$745d0>)k+452hnfy$GOVF218U3P@({irXP2+ka+qqkOzA9eU=Y2OF<2 zmlc^o6NTUP#Yrqwv!{^w!3@w4(CcD80JG@v;HXu-vZQwC6|57mA?M>BF|ZMM0rs?t zCO&aQjJjou6NZ<<;RIp;+nq@CpvOadx$*0pK_R=^c)|Irf3x{c6&nL()M1Cp@?X!^ z7{zdF>SnHr8j!z*JW||J$iPrYVvME_i1H%8FSP?xaPS|Dk_ty-%GPBY(CYzpv@Nf_ z%JT=T;95>ubQ%~dY~9C%T90A*kMD{>q<~GN^6FoFIlp~ix+mh1+bME7j>5RqFJ504R5EHFY1Pm6h@aI zqrmAq9}8@Fbmj-kTmg1Jf+hoCAY6a!s6Q~&17Zuj@lmp%Dm(CGBIyL_@bi=QJA0Hf z|4Dt((j~{6_Aii+r_fiR%_7qjTrzY_ckx_6ngGTot}HRY#w^}KBQHK{1+lJ^mWIEL z?1>ZZ<>|mfmtzBh!^Fj=OfewMq3JyTP(7%$ibrt+sKR8XQ@c;0`)`=ShzK4mz%A$a z`^Z*w`eE~y5M_EP*05hYlCCSt1@Z8(DcHXJd1m4z&EU#=se;c(M@GW&P}n-23rs@a ze+ij}7*-#^$PDyL<6%7#$VC1-LJgr$A>tm$8^keeB%?YqlEDc_L9tr<#)J`d6e)_( z0g{A43R<5$1PmkhoFDxgp$#ULAEgbz)ag)~juriTLOo~zW7ANUJg5|-YJ-o6!0 zGb9pwz}W|1l7pMutA+(U6S9WI?FjXFG4-l%xVa$1--UTYAF<2A1gct{tQ-g+y&!6> zp7g7}n>gsr3jO^>bOU6*50+Zx%CoxXfvkl84InvBvQnWiN(9=1PK?X|kY)gr5==tT zG7u6gtoIh>6-7#7E{$gdBP|FuobiU)c0CI*3TUwoK^sp(nR0Uv>tvnDp%$N;wnUYQ zhhWfNkqj!;;j@Hu9mQ_Ww?u%RHvkBdPzgM?2a0PF2ujXhfQ=_iQ!wFZvZ;L=(856=%5uma-IHpjM;g6hV0eW?bCWe$#O+>MA`dy7yru9@(CDg9PH5Z*xiAa0&$?*5)h+t?=w`-c;!xfYbAWVFq|-) zO?t=%uE2CJKKT>u)?|+!eFP>U7i1}&Ou#{oO$N?Qu!QQPU~W2!iOyiUbf~+RY`7N! zk9tP2^LeA8-riRa?xIZtl*+8PCAT88wWtVu%5bRo7>Zg9FvRpiQ+I*CZ{*B#yV#-} ztkCWF97v8hihgP^74@(IDq)v^tjS3jy@!LGDU&rj85>q*I8vQt+Mpq9GZ>a_e^N;) z3}>#4$GLPn!WoZ7n5I&e!%P?g9%Qkv2(%etF+cZ~Mfu>C}W1(ql9UTOyY^jll*L)y28nf@wA;Z1_>iG!{0~p(5D|8>*JF5IL zLKGujf5lMk_W1nEcYC z1@+~(u@I_xW5?N^`wt`}(KVm@m*2SnsQJ;h5lKC8FfdmLQq09A*VtHFdurAg9zc*m z!%@h#2oMS$#MqNhCAjhm1^)?ns1z98b{H`Sz(ApihobK^(!{vcUr^Ss_vEa9?Crh# zLdj+#pVEkvj#egV2r@GF%Ll2(F(l{Us>nfVHZdO&G3j1;daKBM`=U}nyeyys$&tFlBchDJ~ zYPaw1#-shaP^4?-gcsf*d#j)XZvzjEud#ml;>9pDx-1XW~PbX_0i(tyhx>(pG6;(PubhIMlKBeICJL|avnXX;AH==lsxecB_ zrp!exEu?6u7NE6j_P9Zk23VOu`EcFHzyQQKxQ8%O$UGdAgTYZ$6MWDt5NkGViHR687@C_SNZKl0Q(8^_5pikL)E8GT$?spqQ*D{x*im2IGYEsUlldP$D;oA7Fi6e;> z)e`WiOEy>$U^S6`0ssO?&4&@)&5TV|UhQ`x%q}*eI|89n5+qRyI6Y^8KV!~E!nldw z4^DM1H^G+}hY@cfu!GP+@N2k)?E|DxfReZazD5|~k@{BQa(7I`p6KW^BS83D@?HiR z9W^%2+&6JG)ehD;Cl`$K)?mIE4EoK;WIV6rpScHIf)+FlK{sK=mW0B)U8H_6)~Y$Yj<1PW2X+*foi}KK^3U=l}`;bg-?W_uoKJ2K;@s^S=oX{2RW(0tmnbzQJckzS#GOo*4L4ZNB>gX?7x4d=+`!6{x`APl8r=4f* zl2p!fAGSIf*7L+`qal;r&eW)_H#F+h4R;i<-F6#afc-ZIBxaDlaP@9(m&HeVB?aeRNYzXviJGH2BZI)=S-CQ$4 z7$5+H3ot-0;Tm{7>A?wuu)Dz!f^f-ohes9&dOz^kn41r*uWhOvy(Zpx#LWa$IKa4k zkOD>ez1ndBR2r-%H;fMjWo)5#$*!+Y%Ts&P_||+eTpR(Cc6+yh@wtqS7~I??%x0vA zSvC|}Vc;jd&-7~nDpK9PA7mNMzP)VyoTr@9KcW+@@nTKJ@slQvsWd}Q8i7*SC_)r> z^6~M#gK&=!-;h+o&mg~@?#R{8KpTOh{)(f|O~7d*m=r8_{ntfJV1o^U19SZ>gIu&S zxN09G{b`$bPi?OnLKgw~{3anGA=|~voY2w2n7#j&1u-a?X0Bq8(o#?^y8hmB#r}Y0 zyYIdf@?O@q;)UV?yKO(ky^3q40616ya6pp*-Xcix-@&`u1{@OI?!Mv^VmAX+oxD6e zZlJp@_U&}&7~YS}uK`R+NACB&;<)dmIv$6PG`l#?l=n61^U#f5`?R1YDIF$i5-mB7 zc^<=beNJg|@AoF=LDm9$KHk}E(dZEWlO`hj_y|)H9Xko-BL40`a{|5;#A3@N2~<$z z5m`83PQ%S>lM|=LzulyR;PHF7&+Ek#{)jC{hX9LkBH$6a^vx-KHeNdoi7@ZJe%%bx z_PKLm>Bl@+NiGW@Ow@&Epg~INbwv3==)T~)gPcq@XpGZT-Za1*2#@;n$L+W!-yo^c zogJhnldDz~-XGusgt-&hL_x-fzGFSk=WnPxq!0rLp)_U{#g?UFJIs7w9|!VnVsbK^ z7w?1OTtMFi^zRIUkVvLA^a%i_5ZDtpGLFUrF?ZRR8l&rldLXc%XgFL5-Y(?D(0R66 zAkvx|)uSByw2L$mF1qT|XgX3QLR}ehoO^GU+fJZ$&aBzr841mi5nx`B{8=;wiR6FM3Xnd?4 zC!VA2+}sawjGa_g4ihw+>=HsP0vQgp=XU^JBEBP z4xs=Kzy*R@*cBEQ_(L8wf&0zRdhfV9Uox4ATru`B)yiURcAYGpY3@arhw%dMid}bZPvhDCoyLl zF|Ai7gFo7hd}9jH$x$8D&xPdBN~!n*l#VC#EV& z7-EG3nIN4VEL2cY`-H(0u9Gk}!2u3~ft@TmLwGnnCXE}QBs6GpIQQ3WLDX7?4GF&v zLz8b~i+f#x60M~ZD@+#ZlqipO9C0#ns&a-&8c>(`ympweC2xaynRkHWtPNUTJ*88p zo{|@3V`V*xx51v}4T2J9q^GYhCyWaVDjlclo5HX?$N?ep1nrg${YfX%O3+PvK*Y9d z6R;ox{NR`9lEkA?`XoIz0~a(LpvF;j`bsc91}?$g)0mNV+yHA%6?4;DqW+H_ZK0}w zehfbtHaKWufQLy5AZm*hq*+AtBm=f9K9LeY&M>T-s;R3Z-amdQ>*(-|{H#6cD{Au+ z9+x}3y}XWs;7>jc!rr+7%N@lnP_ng6ZRzRRHTNrv*c)Wbb6U;3j#E#RT(N4E7s8py z1?B+lC_eN^_bFT-RKA|@b5~YZ-zg98SO)%!fIBCPF5roUrR5`KC8ce&EaF-WNK^__ zjU8!|(-pgW=Z-9T#tK-Na^o0~139t+>Tx!iiU4QGEAYW909=HD!1i(ONJr&MeYsBX z#|MY;@Pt9zBokVG6o87iMv@^Lv{V?ZCao4U{<4L3^Zpm3H%RvCY(MAOJ4_;PVT!N-c~=93lhRSpPU>VN!(4uC|>^Uw(aA|**Vl6}*0 zh~woA6(L53%~B8w!RW5?g$v`ml9J=IrT}4WZEZdKFp54n8{p^n30;^J0I^mZ$Ve>e zTM%G*ADIM!P_EF*cn|{>49uP07!x*^Sq*9t_EICF)F^C{mzM_~uy~7rfH%5<&mzPC z7i#{CND&cLh*mD_6i-z+bm$NqC*i-I58X)~zo(}s+Oph+2JL`I)!5i$HG=ZEz_1)_ zF~En!V)_CzRdCGD1CapU8C{-VUuI$a9FutLiQ3^$Pu<4onbfX;0wGv~&_lG^@;L`~ z1`xQj;rPh`*a1K&w@&)TLx*wF;22suAH{S<25#?e|O-*w3Ya!+V*^t!h%$&6CXO-O0 zmuoLG#k%NQz!K&r+GgkeOzzcvC7&({=G{#`bM!5(VJywZs^&grxE!Nfz=;SV7}3AN z<-lS`6JS(T1D)51p072aiwUxFpInS3g>N`xul61d`ZEwz9ICM2)6_F0TB1n?{(wAd9gCtW-#Hfsdzf5H$v{D}J*^ zKf?2YX?&2qC@qNj$UtU-8l(0l8&YpAPU7$q0yqIF5sZJRVwT8G7Dm2@;l>k4RAC_z zJIETxKG~JR18KuSFokeJS=p8!&1sK~vYRn%)Y z*fUSp8DsF})St8mquK@A0VqVr05TxtLe@W-7JiYSauSzk zY)r7%EWl!+00vwH1q*OL5RqW0MiN{ATn)i2zcJ+elwW|TNb?m`+R8T|m7MS+SX4OItKRksc1il|~LfxlDJGDyLu zqvi6jw}L*jbf>Y2fYzW8pX}Qa+nzdzJW05VAWyO;)=d^QC>gd8msi{ll8IU8iS68v6$8%Qqa_1JZ0-iKix=}QH#wQWA8m8KTS5$9Z z&^lZhAW;~kPxi$v%LG!MUfSej+0NVDyZ(&nIj6CD`ru;~t_QRS+{0*o95_nHa#GnY z;maGFk<~6Y`ZW>K`vDL|Ho6bI*gO!jCSa5B&3j)acr7N+A9Oh=X|i4ET8gireD5t` zn^teNm{m_yh;^;q&lyqXNFc7to0cWKMB%_`CSkjo_~hW$V$9hJS=EqULk&wYCUHo1 zl}?(#E+(*gGRi3P=FOb-j6pBi$zAHM?&5ulo#JBB^%abAYEQ*_<_$DvpIrV^It2_g zgig*hxp0uLh`-;n`2NYPk>1~a+hl;dVyjWmcy?si_mk9JG%WHdR}_WiQ%1dC=(obH z(e(M2D`#>VfBuf5yniKsVNGyh&9~YHihL#&LlsVN+Oig(lQACnXXwWoB&U>lT`Y^@ z_iFV%xGze}C9q}pZ|{Die@W+pszUJF_g|Mkkb|n?vtiGX&~k^uA{GbMzHg_Q95M@Iz{QF-PF)b)_dtazJ$u7bt$UBz?Ps&DV)pd0$wsVAF*8eoJC6iP|}f zu^C(r{I|C>X4*4?`;2H8#-s$alxV)>Q5A(&*f0>MY_!<8h7NV7Y$C*Lcg-<6P<^PbY(%#TEbt(?1uzTlu#tEPUEy5uMC_e zx+f?;fTE~rUI5*n*fZg*fj%?$-WRv)O3~9fUfusE!HAiIXw*OgB`o3U>QRFW?R3Sc zNg&XU%e!7c$wdAf_KA=1gE|TVFG-gvDd}C_t~4(8e-WbCjapU~3}bxA(-@**gji6d zbG3OX+K;90u8 zzhDJPtOHQ}qXmt()G=EKBPJXKbcx`8hZhc_4)p>VrZPr_3xv9ZAo#g-5;qRu(WqmH zqZ2m&=$BvX>oraH?M6fp$=zs1HGwI6XH%90I{Bowq&KO=j~{F@6hdVfazb#r;^L9% zhSvt3C6`B-exS#K38g*WnK)-4Na&auGxG4pF*udQ3mIvNqg*7)0Vw^zd;`E=4x~cE zEh7<&h+rKhC9BEC?#i_CVrkWbAFz-?dSH6Fd_#a2>R*(w7pr16fJTNT4Yemx?_lt9 z9`h`4B|+kM1|0&1e;~u11?U5-OYibVE9}zv3p1JBFo!@-Iou{+ld=rHlkN@~(Br4Em2BpSeHVsQhaoX?aup&Z6ZoR(2 zX}?8zUDSiB78$zsnaR_Q+7nb#Ga{#^;tgccJPABmk8(E8Ilkk^ojA)fZ4JfK0bz zaJLl{`h_-0cb7j|Cm>?4$9Mtn+x@x^h}R38keF2y-`EKd8?+*OE?2>k%swB5!uDUkR$F!%9LCN8&G0?sa|g z$+TR18kHE~h<;78rh~UEbk?!qCu*8LqwmFfZo^n_uy{UQ8V{KVy!PRj39D0F`07~W zc}AX(#?5<-PsiMy+8*4UVHy0M5o7f{ld*54pGs=6Zb=JxSgocrKlY(dN7IJp1Bp{1 zbq!;A#8q(EVP>3ZU{$-fFeJi2Ja4dYns0W z4sJEI=|`J(o7TT^!NI>5(_D1(;Bv<#6{m>fD-j+t2&oRU6Bp+HH$89!Owh02_`3<) zTPyvlJMozS^AAyjfWoNX!N?OmF#7jf(4&KeqQD7U@ziw73g5PZ9Llb9HMRZvW@HL7HcYNxEm1%ma#HZie`LZ88InjRpH=5heb_I-O}C; zMoCDr9feqDVVVnjP{5sIGd?Sl{GGiQFNXew2uM2frXx5B4-1RJ!`=OQaPU^FA>n6R zi5Iq{edny4dW`+Ltukej!98P?)6q`4mX^!z)fGlX*{5&XP$UuJ&{i46b*|;S_?Ne{ zCq7`;fKoKdqP@>t?$|M}tfo|}*n`$nmyxl-3WZT&I&Q~Ano{(Kx;kIHV@0F_i7dGY z+B3L^?_tHcS{z;cM?8YWZvmwgD*EjzU2hx9BI(@P1jNMrq3g8K!N`-)5PdN3Q4?}S z3Xn|-)+8F)3*dom-hb(UPAQ_!H6%PSc26q2+$vm9RP+N=39A?yZL4;qV*!&gYM4DS z>6#d9&@~7Oi=LTT6RVXP3z~TNdR2WH1Fx(x`_rd~ST&v=9`B(#i}kxux(7=Dq`VKP z=ujK#VYf!CDn&W%3-QtU4JBX~5K!s83DCT8kP5!b&8RouH#KD)x3^}nZ0wknuTp{R z4m5m{-W?VZfiMawDD)inT9Ift(W%QcYv}@{qP}OmPI&~|+ zEols{35yYgUR+Z_&Wu9zH;HfFoX2}RjY^J{kB;N%vBM!|Q5g=xdw3!LMcvxEe*gmp zFULNswZRJxf)(&pB$0;+S4JT9?{TxJ$n%9kEJ zLjTT#BGvhL>RA;W5d&-++5H~FBY^dUbRip#uTvy%1E>#b#Be-Fh~`eT9qFfc_IX zpL;l*mOtJ=!v!CkoPvU7m|Nbz!2xL_06{m}cE=gYGZG{CXl3Buk$DDA#3_b>;Q?SX;zb8@GQ*dm zssyCNo%Gvpz6b;cbo}|Gg+*br>HrwQ04ww{OaT}T2kHWVsIlS1Djj7Iv5m!QAkYl4 z+#+fgJam>sQ7$GHYrGdurnuY(@u))%`rs>F=)Tl09(3q#;*G}Leqm81&UEZJ3`SM#PrSl53GY^ zJOG3PxS$X81?Ri;@gunX`v6}N$}}i@!>+j@eOk|Bk2s#Rs)9%bm9-o$CxSbOFdc4U zpN*Op7Qoqj*B+0^d^t*bSu>l>^)ZR~HCb;>`!+jzS&tih4^8)Fz3E1(HS9C7S59z= z3QbD)R2}*3ztE$5TJLS%LuoJ3t!_xH`&vNhOXih)8pd=z_4{@iy1eU;n8hQa#&r@+ zhPs#-ewQzd+m~&U`cUHNUMaZJaMe0PM)$g+s&oU39sGr;CXCXH`o4YZ|3E!rbPvcw zfxRBH$^gUH3)%2nF|yPDiL&}srrpHJf^xIF@s ze=6*i&_7ZtC2toNKQ(l$O_~49oE3^N=d2B~5ODCw|NY(HuMgWh9|Y0l1vEH2Vh9K4R> z?yP*&4u_{W)qmrxta0$UJa&I)^^0Dc^$xzXn(}MG3@NyUsX%0vS zhFVt^TGB56w$Q8#_MA1%cuujzqQ++DL56(*@b6PQC5*{>4PDX_T7FL_GJ2m`!%dq5 zaR+Y!)J0i`q7qg|orop;Eem4s(k+~!ukc6_n=`5oly5NHbSSSsu_T`0h}hx6$z69ErGJ;1=J}3HW0O^11x;qI-(Wd zEhrd?hlq5_26Vl2$1q-@>g{VFU&bLe>m=?#bL|PEHRfU`cG0XT<@k1W+lS4CZOYr8 zaJ`eH8o2*rN^#$X^#_B4szI;+``!>a0LZz!M;YE{?R^?tYSb#`+BHWWL~)F?$(970b4>= zIT>-}TC6#-^Sa};@ri2f>H0(Pj-YGHm3Xp4roZ3)Rsa*@#xjVr!LTL7HB7>>dc+ir zTU1cvV0Lm8UEC%3B0&T$;CioqBe+OIe@)NK%uH0-%AD|+@v4lvININQm!$#+Jj@^9c;Ala9}PYBu;+Wtptt*u zUjyX$(cDa>Z1Q+G3T^Uy2xeRyK|nxAk223FEN10wFD)u^CK*LIT$Oc_G15cNSn`7sU1~ktRDSJThx?j(rN+3=HaE=ecDNanB zQHHnx*Xb-aI|S)2RPr|fnE}i|64$R~0kMCfV#IFFdG#DQZV=C5@_ZXCVXS#*K8U&w z&+I0QTi^l@SqePHiLV*Z6at_FD_2tT@OvCT7!8c*Ax<(fK!O6KG2P_r+qEb%aIz7L zejs|@KKkd+?|}vYWpDq;2%CUFQXW6?27&woBd3a#KwpQ_e03{{QE?i^OuO5E#REqor%9Gx!KY8> zKuScvgu@H8k{{qGx8rpFv0|)>@{FE-t;*7fmUl53Gyl&EKBM6a5FxHU@#8G0pM}Fk zGmy-x3T|HB3!wFrxd*xlT)X9TbUyXhOBZr*(NrIUV1jH)d3m&sdS8ID4Ga&T16+lN z1@P{!8kO7dzuk++h71hR1%qc6T{()e6xw;ispoOW86Y+QRpd^1I2#G}wPQHiniY;c*^xHiaZ4%-J~<(*WTymCC*egtxR{(tvgrVy%Oy)i6dL;nXCjSy_1X zmhaMS_N+lE-_Ok5O~1+un~5jZf{oqHi|7Jj|rL z)L#Tn?$p@Zh)@u4NR}+)IZ%x!BnSTkq(ngH;lA6%3ls3;T0Dg4Gf}OQJRQhKs#D|e zYdpnGRPf6U!i1D?n<;>p$N&wTW&>EP;h8>-I%x0>p)x@IV3fq~2viRRzxs>QR2caY zw@+|#LHJvCk(W~fc^!3cOt^fWfx>>%Z4TurikQ2YZ35RIkvTxAVCuM7QA_I+#&e{6 z#?2%KY%0F|o%Na6YEVm)fLJKz_oEHLl+vD?{@Q<&ND)G1uLm9o%uXeBfk{@c3Z!!WG+%5*`X=i2E%NOkx|kos3ol z%4Z&^x$I*tP~M=pdUJYs&tmr-*#g}c9g2&$-nHvJ(fljo?%87n+8Z;mHQjL^&0xaA7_o+#Z(%^!nLB zpRCgtFD|>-w>lWk2#|{dQ1Z~~Bxx{Z2;&WB zJcWdKlAa0UO;X7N4iLa|Zn6F~D4Bo?4&lQCmA9&MfWI4wLPF>eIsY}D=?X}p(ZIeJ zKd?*f?_f;%wf3n~kdNa|QNzk15=RCG1c_G%&Q7GqkR#yVLNR6698{4~p^xPz?4!1N z6;1;%N_--nA3PvQPcSfoG_xu-!S|n_8H;aRMB9 zeVf+ltfhRGcz{XKB5YnNz0+c*(CDS(iJ}0N{U0k~%Ys}XvH zIHM3^i<=6K&-0ND$yTk+&B0^w)1-Un^ z6Fp}gaokN~asy@HM)b3Q5ed!)rr$0W3ce($xlZVRF^a+7++FMgfCC@ZxNP@RU*DG) z)sqD5#KdN32;*u-aVd{I-E$j?m@;&B6b#y8r<>-v;V!{bSL$x=SQ~Sdw^y!i$6Cr5 zYyY_EGTmEa`sP=y&)-SgEuKz$=)H-err6Q=)sB%^%;obY@)+0=Nh8$xB(9OTQM{5J z3c(TF?QePyg%jCB0MwEQQ()gNvI%=&{q~zsGl*6R+5$~|COnKp7nssn0U^DTKEvw- z;~tc0pt|9r!S1P-y+}{n1y*1fP9?(M7kCR$MS^uhpd!fG0P=7G@h9*R@xs$Jgh|84 zA}g!sqoC~~^%lGs$WI6ug9)B{({p}!S~h}yhRt^;FK;`r1f0_uHuye&apN51y4wVg zAp9w^uOacCxSK%|1~+pODMRow6uKnee2^GJS$MMB*Dv-Hwt9fk0e+nWtIASRP_!DH zJP9Wggns&iQGx>#C#S_FPbB)n^c6*AB;Z)=vVs${EIyd_6LVx%8REtY2A0s<*GWmO z=#2(bF|r}%LO^Ub@9g9XTtP56Yy!k#9(?dTv3={-U>$?`p|yDG&3j5F@a1gJ&dS&a?TROb{zkalQ|`F$ zOa_bP!Z)hQNW5TgpAzod4I*L4IA7~h)E#^LCZs|;fU@R!#NjO>xI~38Y~`Ipm)Nv0?Y{yAE0a|0P6vblXDM6 zE;!Pzu=|&Eh#3ZV1MzCkpc#V#O$@++$7a}^O210@i3B}_)5dC8I-q-@JpiDGls2%K zTMj^F8Ux9*XljT>DC+bIz*MM{A0ni6`YC3L=xAE85^R%c#!>3vc9ZUqhy|b^-WNl6 zm*-!gI7RyN=J@kOl6eTnvv1Cv*mq&di=*#5N@0*CaMC+namvSed0JmT7mg={{DNbE zc%8s&vOGebQHaUD^<*trMx-)8gI6i?s~p_Li60WwQ>4qf^zEHSzNw8D#ygm{?*OSv z$6guop!Z-2cOp&^Y;_{(QeZ`uz9g7qCtN3ZY;4n)yj#hn<3WG*-xE#9&ylA0=^v=h zj`#l?s7_Mnv$M-alA%2Y=61qlffMq%@02-`M^mzjL$SEPYwTHHQqJ=1H!SBMi&e2> zUHc#krP|b_NjY|SOOqP&*=61DW84Itmis5tNDr?F{cj)rV3gF7wK$vR|NiV;BEHtX z^k~$efa3JGlS%^|i$`v{MQDla^pDV*lKt}1Vy7pcpz4~m7iY}=h+V0T*n1B&lm4Hk zPV7w-moAKds4or{aj3}PpMO|!{?Djadd1h~GE|G1y;rCV{PDS7)$hrL(t%u)@qz91 zuJ(2Aq3*pO?0d7D9c|W4^_gydF!=qn7yUqfhSZvYjo?^&qUsiV{Mz5o&v5hB)ZK6| z&4EbNm%n&N^xL-^Z%ZOWY*w#90dZs4!uFu&1q%B;u{SpJcU6Ldg5Q33nAU&eXzTcB z)HQS!XRL7d1hy)$s;WeaasCliAa;5<{?w$IwhDs=x*h9mq%n}dZ21u=0p_JF_br%R zk-bvh&0p0Pca4uOO5k4q@UT>{;_1_;ozTR9?S6W}D?^&uwO{ikENRRK2H$~0e;lv^ zd^n=bxhcVC&{`n0(XOuc>Nd#ni$KuEZ$WIM*_XNi_k3Hv;F%#7BXI9+K-A;Kx7&ZY zB)azOYJE%2wVyVe4t5%s`eMKH*{l0Oii+K*FH>N)hq*7h!4Jgn7iKg#H;sKmCz;kz zZGgAZsZ+I;C3$)(<_~cey-m6AvvwJ+TA*bV;yYj#*|WR-C?1J%vC8#Q7kL}w!+$9{ zC>6Y9wx_vW(|W*+&SqVU_!IiM(*dm6IY-vnUNJs>0JJ$!=FX1yH^T<)8K&r>iSBB+ zL+S{N&#)Z<_Rc>Mg9SOQ83F6$F@R#z`d7 zbJ@z3df2B3YK6vXEj|5R%*AqY7MJZCA{+~{i}$}@Ntmi=v!RIrV3v=hSTrUoGS(RW zy-iCaQFZ9bg=~j+QlJSyH+dTF37F_iw0J5QiaE%5klqLf0AT7n*mDbu;QIIu)WMcc z!pAiJ!e^rah6@Xe+ut}GB=>dD){XfGqgi@3P=co-);xedKwhZvExl8rqL5V8_v%

4B*du z++7S>-2cvXSk#YlY&W_+VwzK2+={X&KRcVs324m^D4yZ^h&7;xi3g!pBry}SSc0Cw zZZf)J?n7xQB!$y!U8E0T0th_dxAI0thGY%n2;3m!0l(Jo_=4co!!+d+II=N6BL{c) z!iYyk^lv`|dsVlSJ{4q+`_4o^aCbemuiNp)jnLkvgbMg4V#P$b&`0 zO;n@lBpH`HY9RcPnHBELZ=oN~P>EojXl2-LxGhOc*ukuXL=Ahq=-l)W+Twm#VI1OF zk6wku@Ze7qZmX130aX)nxQNFtc=aEEI->x!9qZjSp9YFb1pTjZL+S>Ue;GCeae$zX zq=AAM1NYthva(0;W&{bA#C}qGmYxIK1p}>(8#lsJ5$#DcRvuYu#4s2o79rQ*!=oCh zN$dNI7)6EWC;Hh#kWQiISw%?aj_^)1sv*I1WS>FxhQZD)yWLHFVsh)QG`P*ow33f&^ha9lzmosR(zQ6^YaN^6$6B}DY`mE;>2AA-u z4GI4_p96*I4#(u=LxHt|bPkJJ;&T-iCY8C@7YGFa^4Rq3$d|yhh@(HYS3bTd z`$xlt`jooU2Ea?;;0V;=sI>H*uf|*pVi09HsED4T+Wp$l&}xG)=fcbK%)5q;^vzB# z(8h4AyTG6d9>p*ZFdzMS3UgM9iKWlKzyh}Eeii?(E_C7b>qwOJ7IfP1cezISSlYr9 zQo$tUWf&-RblvNy%b}l@sG8gl9r#>r_-xhk1SEH`93}=xI0`teXPJ{fe2~&{n9!$S z#!(fNW-lK%sBLiM$Pq9fRrGC8!h5&kX&Sr?9E1dGm^Lu{MsNTY^A?s&sJ$b=>#^lE zJaDbK68S6#>QB51IY!c+09jxI6Gi)V0d2U2CH+F$Ym64FS{uf}aMr_6fuP8%l`m`G zQ{lOZkAfV8_rRmcq?Q5>KU5%nI20}M^M(d!z7Ygl0v=rVCL*XgBDifA}TsMuF|1fk!yht5v8&$o^aG0OUTGw z#g`r-Q`&u(4{>Y0c?ixCrYZTz8%89Tsj{uS2?iX5r_!sKf`!VdASdm@0Pxl>8^Z-y z&bC1C`#q^fCkL4>e`{!e0Go1pa}0;39Ci=yJs*pTa;mDl0Rch{`T;t|RuimHv`_Ql zpvs(|4Xu(Q`2O1JQV4-z2X!irN3v2Z9O?9MAgEvQ}2I#LbKtgZ2|7!mhu!sP8e$;RM z_6_QgT?cOR#?^*%4WzSxUja7q=^j{DRMBzAI)NZM5y{ul#VtMnHy| zg&w05VD)z+Bik!W9{ko!iVm5wU(`M1*gLJ?V888?%c_2dscl{|b!(%z#65;jZ(i2f ztoPtS--h~qHBC12MippDZ#D7wAC&qzO)q5sDkyJD@SC;K8Cu29*sZfpfaU5wbwwHb zAIN|FMyeTKU_x+tUnkT8wn|fus)QCArx}~I@ifLp@bI4IXz6gffDQpIT4^}=MWoI|vr&T=VxxOLdlt`VfU%}*>&`#I=|e}u#gNw{WRry6+7a6>Vx zLFtzbgVgt~9$YH(3-6OLuAPtT4Ih{^_C-Xr@@fm1nIt7;)hU;`D872FH1t^T(-N~< z_6KYlPgdk!dfLQddh+=b=G&XD*9;9j$=53pYMKZrop7aN844JhSxuoFTDF#gzgBIP zBLCvMwT24+dbdV$3Hjy!`@dOfCRpNkJV}j-d|lb)y$e_21FMWkve_%^h5ve;hS{#8 zrt?_h_U}JWt;C;mn)1s%TRu6m{C16$ofT)U&ItMGoowps|8ntqg{4^8*$uw*ugyIr zcmL{$SwigLqBTpC4UPJg$gAvWezP@1b1Xn3t2yJ@sGw=Z(L>a<-0mR}$NZyLyIHGh zvq(UU*#o)$kx!(btKD=zYNjJ}#Y!Vx*l5)o9q7EtM>$+pKP5#> zy~X?p&5OdMh882%qeJ#22SA<7+$8 zo6zs-&LDW^C1`ff^P3dv!j8K)RB>-nFW;SG)%$fqb5!hN8D%LA&Bxr@i8oeZ;r^9n zXB0k4@ToIxPvtcDabBk4~hoV;B2&cWBGcpU)|C z=eru?ip1hV$K$AGrU0Gl+jbY%RK=UzyCX628Uy|l-1dv{R^i^Aqw>94E?re|rCiFF zs;uevvdYj`@OJb!Z?Ai?HBoU&&WE?#{mAUqn)b9O?!g+&y?dTIWITj2M?GKZLAzU9 zk`d!s`(EwHH>;V2pYLKZRl(TgLAWDcJBXjNdW|`kj!wXX2VD_QIBo4bD`uZ-yX;6ybuoLtjb zR?h48@oZuTTGhIjt=pmT|D{$OL{13xU#fE#&XlG&8){}{y5Z$V3J1Lli;Gn(2G_Eg ze0`2W_N%!G{@k8t#U8A$YMnIQ2Rr>RIR&a$1i;ed&%~&bLy`73p@QI~dWPcBsTy8f~pgB$g<(>EH` zpLuT5K9TLTF*qpdQUawq27P?L0+s_*%!9` zNahRcP2(dd$DQ>(eZA9C6STzbrMFS zTKE$=$5p&B=alLCrB)kvf$Vbuc3q`~1qCmxPw7`zo3O-MH(j@VZtmopd@;0HK|Joz zUC$nE)f8C6BJLUlk=Y1R7H74%T+Hv`9%p(lsS>Tk*3&SSvd{Rc0@ZBsPi>u)eP=3^nWhGx%vv|w2^cHtM&~PB z9Q5jxRmcjmvAodq8QB0s45F;6+G)~;UoG`|6n9fJza3wqSc1`B%$(EKLAq6{=W3Yi zlCCMZ_f+TZ*m=Ig({_~i$A%Fp7Axnj@R=#PFQ@=zWaPckW51WI|A-t`u)(^jUfmTH zGlHed;Nb9J2%BNOxYoh!t-hjGcN``=cgP6d$SycxzGB5{cgNE&?$ENF=vaN?x7|D> zpd<8NNdv3QCLbOS)1Uj3E^Z2OYTG5?@IIlb>(`ccqw1e2h85gL&oukP_QZkFRqEs3 zXT`SW&D-QR&(YH|e9;XENE&{(SY<=`ZY|69PcQ8gERZ~sf(R!OtznK;SzqsNXZwey@HZ-V2Y>s|IC4`Tmz&|EK{ zW9NP;@=PSv%$ZgiWi>I0JPrv9lh;VJi(a&NS|!CoUx02^*~@U}4S_EXMk+X}M9l~` z`KioZFYl^-MMJe{=Z|G;4+z1VAo|G}1%v)?RKooereYG;?&OJ!%sxJOdGu#PB=%y? z0o?)Lz1QwYyFRF_imfr$O0q`=w>lv7ijZ76Z$G;alh;S+<$U7Gf^$Ac22ENAv{RMTw=oDJrUzLsP^tJXt!{r#4+@{dy!v9vdNp5a)3)w9E4~ zCCW0zM5>a_c#Z1)1A9~}*iS&WD|Rhzsw6;6OFS2co zE8BM2{@kr=)w7NRHUCoT@mQ7E(=`+CMy0SuLj)J2S)(a(#o@eX_lx97 zadF%BxyH|e7fQQIL-Tg>MR}k9WY@^R-l+ZR_>VwFF6%Mh81-@$^Uxy(Lo_V19>>@{ zZN=Ay%X)K?HBUZ_!_bT~PB2sl?l*7VJnkCbc`s>t`pm&zz zNg2V+T`X8v*Z>%qMU=s9AvKxbX0zuPUf}4(Nqg|%b?#rCXH#1?*uS=V2D%hvbWtGV zJS{$-^7idfkCA7WI`g(Emue&_2TR`G*4-b~ddA*#&r?#b;E##*AE@$3z5FcZL`LeT z^RMFJg1PJFht{Gdqgm&bcr2ulQG~;Ll4O30>0mpAL5F6twl>#J5iZRNmw_Iw4>a|| zE9pt$P~v`~+P)1Yvg4n3#mjMx7=DflF7n}_x8eR#!B!P@q9K(D8wl|~3fh`8+$%Cy zc8JcVHs%=R$^je{Pkeg?;)X`qq7iXdxceEK3@Vrvrsa}ck9ku<%&R=4WcSs+*a1HBqr(rvjF4jBS!(-RsW9*yggzc01>8Lua4yx?f-A{|lZ2Vf?CC zQJa$9Q^ks|dOvAXq3KM&$IHu8X=&$*++VqJWo`N3eK|UEW4QG3rKevgvi&z_(-fbuLHYUlO4_(tX=&%wHl&S>tG16FJ3rH!weh-e z;ai!_W_|I+QGK*^o0>LhEJ+$Lpr7W=TcB^h{Z5jUk&$7Y>UHhfHMx7Z%gyaUNxJQa zU7vdOa`F*bEEc7wU(ngJY4WL8Pu_KE zYyOK1m6esHf`S5_IrFu?_~K}ZTxV(2=rKQaiR`42&&27_;bdiJXY0VhLmEBiS@r7K zLq0zBZhFm}=VvM~z+Xe6WA**_KiHva0JcDg0Lqb?HQn^)8?S2Jx&*ao8KTx9VOqKB zRTUHz6xqIQNE;nIct`=wTj`bME45>1AfQ_rRkD6|7`sCB?>e;)Wn)k`znXAeoz z*s;$j@%@eJ*MG2{8U3tU1O?r3-)-Br(ZmVkG-=9oHE9;4VX-50>GI|OjQdh$W?oTv z$4CV0$nr|8EYua?whmP!j>ny)UAo%EOICa76Ju*Q#{tR7L_t-qZ0-y9qqH2;M; z^7Hf6keFCyW@g&9U;sAZkdP2>Y1+8x`OpCFj(0s@ojILq?=tSmy7&Zr^63t(TCvQo zb?n@}O|c{5^wp`9B9E7avA$n0*0#e~+s^IA8h~*}j;3-a0ssI2fH5qr1_0PqT_3;S zJ0+708pg9eR`{JpWgN^1LXi8Lhnz!F93cI)0qGO000<5hyVZp z0AL6q0ssI2fFZ1j07}Tt?c3~KLb<_M+YV!GJB&4e`xzkuC;<)*4)!jg++eJ2hq1OD r#u~u=&LJTo-eT_}00000lpg;N)|9>$6K`kK00000NkvXXu0mjfIjAt> literal 0 HcmV?d00001 From 9b45292f88a819bb00c4712f4117a0002a63fd91 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Mon, 21 Sep 2020 15:31:01 -0700 Subject: [PATCH 02/23] Remove reference to specific rustc version --- src/doc/rustc/src/exploit-mitigations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 5274c00b8e5f9..f682ea45e82d7 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -29,9 +29,7 @@ to document these exploit mitigations and how they apply to Rust. This section documents the exploit mitigations applicable to the Rust compiler when building programs for the Linux operating system on the AMD64 architecture and equivalent.1 All examples in this section were -built using the Rust compiler version 1.40.0 (2019-12-19) on Debian testing -(Bullseye). +href="#fn:1" class="footnote">1 The Rust Programming Language currently has no specification. The Rust compiler (i.e., rustc) is the language reference implementation. All From a9f7e1b38abaf736105227c2944082e4c8ad11a2 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Mon, 21 Sep 2020 15:38:12 -0700 Subject: [PATCH 03/23] Remove additional historical information --- src/doc/rustc/src/exploit-mitigations.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index f682ea45e82d7..43fdd10c28e56 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -160,10 +160,7 @@ and unsigned integer computations that cannot be represented in their type, resulting in an overflow or wraparound. The Rust compiler supports integer overflow checks, and enables it when -debug assertions are enabled since version 1.0.0 (2015-05-15)[14]–[17], but -support for it was not completed until version 1.1.0 (2015-06-25)[16]. An -option to control integer overflow checks was later stabilized in version -1.17.0 (2017-04-27)[18]–[20]. +debug assertions are enabled since version 1.1.0 (2015-06-25)[14]–[20]. ```rust fn main() { From 6a38a63ed78b2c2f0118f773d92c861a6e1a59e4 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Mon, 21 Sep 2020 15:40:55 -0700 Subject: [PATCH 04/23] Clarify implementations will be available --- src/doc/rustc/src/exploit-mitigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 43fdd10c28e56..ffbe5f2280af5 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -343,7 +343,7 @@ elements, invalid pointers, invalid sizes, double/multiple “frees” of the same memory allocated, and many corner cases of these. These checks are implementation specific and vary per allocator. -Newer ARM-based processors provide hardware assistance to detect memory +Newer ARM-based processors will provide hardware assistance to detect memory safety violations by tagging memory allocations, and automatically checking that the correct tag is used upon every memory access, namely [ARM Memory Tagging Extension From 344d8358014d85d0dd7fd5aefa3549ec615f72a6 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Mon, 21 Sep 2020 15:44:02 -0700 Subject: [PATCH 05/23] Remove mention of disabling features --- src/doc/rustc/src/exploit-mitigations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index ffbe5f2280af5..e595b454db9d6 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -4,9 +4,9 @@ The Rust programming language provides memory[1] and thread[2] safety guarantees via its ownership[3], references and borrowing[4], and slice -types[5] features. However, Unsafe Rust[6] disables some of these features -by introducing unsafe blocks, unsafe functions and methods, unsafe traits, -and new types that are not subject to the borrowing rules. +types[5] features. However, Unsafe Rust[6] introduces unsafe blocks, unsafe +functions and methods, unsafe traits, and new types that are not subject to +the borrowing rules. Parts of the Rust standard library are implemented as safe abstractions over unsafe code (and historically have been vulnerable to memory corruption[7]). From 9e1e73db7e3dd6af1f91e253bcdc1c9265fce7fd Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Tue, 22 Sep 2020 18:01:04 -0700 Subject: [PATCH 06/23] Add software name to figure captions --- src/doc/rustc/src/exploit-mitigations.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index e595b454db9d6..171135425e9ba 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -255,8 +255,8 @@ referred to as “stack probes” or “stack probing”. The Rust compiler supports stack clashing protection via stack probing, and enables it by default since version 1.20.0 (2017-08-31)[26]–[29]. -![Screenshot listing cross references to __rust_probestack in hello-rust.](images/image1.png "Cross references to __rust_probestack in hello-rust.") -Fig. 6. Cross references to `__rust_probestack` in hello-rust. +![Screenshot of IDA Pro listing cross references to __rust_probestack in hello-rust.](images/image1.png "Cross references to __rust_probestack in hello-rust.") +Fig. 6. IDA Pro listing cross references to `__rust_probestack` in hello-rust. ```rust fn hello() { @@ -270,8 +270,8 @@ fn main() { ``` Fig 7. Modified hello-rust. -![Screenshot listing cross references to __rust_probestack in modified hello-rust.](images/image2.png "Cross references to __rust_probestack in modified hello-rust.") -Fig. 8. Cross references to `__rust_probestack` in modified hello-rust. +![Screenshot of IDA Pro listing cross references to __rust_probestack in modified hello-rust.](images/image2.png "Cross references to __rust_probestack in modified hello-rust.") +Fig. 8. IDA Pro listing cross references to `__rust_probestack` in modified hello-rust. To check if stack clashing protection is enabled for a given binary, search for cross references to `__rust_probestack`. The `__rust_probestack` is @@ -413,8 +413,8 @@ The Rust compiler does not support stack smashing protection. However, more comprehensive alternatives to stack smashing protection exist, such as shadow and safe stack (see Backward-edge control flow protection). -![Screenshot listing cross references to __stack_chk_fail in hello-rust.](images/image3.png "Cross references to __stack_chk_fail in hello-rust.") -Fig. 14. Cross references to `__stack_chk_fail` in hello-rust. +![Screenshot of IDA Pro listing cross references to __stack_chk_fail in hello-rust.](images/image3.png "Cross references to __stack_chk_fail in hello-rust.") +Fig. 14. IDA Pro listing cross references to `__stack_chk_fail` in hello-rust. To check if stack smashing protection is enabled for a given binary, search for cross references to `__stack_chk_fail`. The only cross references to From 2b9e505a7294202acefe3ce75ddd97654937bc35 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Mon, 28 Sep 2020 18:28:40 -0700 Subject: [PATCH 07/23] Add target audience and prior knowledge --- src/doc/rustc/src/exploit-mitigations.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 171135425e9ba..7bebb6abbd8af 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -1,5 +1,14 @@ # Exploit Mitigations +This chapter describes exploit mitigations supported by the Rust compiler, +and is by no means an extensive survey of the Rust programming language’s +security features. + +This chapter is for software engineers working with the Rust programming +language, and assumes prior knowledge of the Rust programming language and +its toolchain. + + ## Introduction The Rust programming language provides memory[1] and thread[2] safety From dc5745d5183f3bc9cdc324d649b68f15b77bb768 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Tue, 29 Sep 2020 21:14:45 -0700 Subject: [PATCH 08/23] Fix documentation tests --- src/doc/rustc/src/exploit-mitigations.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 7bebb6abbd8af..83a62ef3e8203 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -150,7 +150,7 @@ randomization (ASLR). This is also referred to as “full ASLR”. The Rust compiler supports position-independent executable and enables it by default since version 0.12.0 (2014-10-09)[10]–[13]. -``` +```text $ readelf -h target/release/hello-rust | grep Type: Type: DYN (Shared object file) ``` @@ -171,7 +171,7 @@ resulting in an overflow or wraparound. The Rust compiler supports integer overflow checks, and enables it when debug assertions are enabled since version 1.1.0 (2015-06-25)[14]–[20]. -```rust +```compile_fail fn main() { let u: u8 = 255; println!("u: {}", u + 1); @@ -179,7 +179,7 @@ fn main() { ``` Fig. 2. hello-rust-integer program. -``` +```text $ cargo run Compiling hello-rust-integer v0.1.0 (/home/rcvalle/hello-rust-integer) Finished dev [unoptimized + debuginfo] target(s) in 0.23s @@ -189,7 +189,7 @@ note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace. ``` Fig. 3. Build and execution of hello-rust-integer with debug assertions enabled. -``` +```text $ cargo run --release Compiling hello-rust-integer v0.1.0 (/home/rcvalle/hello-rust-integer) Finished release [optimized] target(s) in 0.23s @@ -232,7 +232,7 @@ default since its initial release, version 0.1 (2012-01-20)[21], [22], but has regressed since then[23]–[25], and enforced by default since version 1.8.0 (2016-04-14)[25]. -``` +```text $ readelf -l target/release/hello-rust | grep -A 1 GNU_STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 0x10 @@ -299,7 +299,7 @@ also referred to as “partial RELRO”. The Rust compiler supports read-only relocations, and enables it by default since version 1.21.0 (2017-10-12)[30], [31]. -``` +```text $ readelf -l target/release/hello-rust | grep GNU_RELRO GNU_RELRO 0x000000000002ee00 0x000000000002fe00 0x000000000002fe00 ``` @@ -321,7 +321,7 @@ RELRO”. The Rust compiler supports immediate binding, and enables it by default since version 1.21.0 (2017-10-12)[30], [31]. -``` +```text $ readelf -d target/release/hello-rust | grep BIND_NOW 0x000000000000001e (FLAGS) BIND_NOW ``` @@ -366,7 +366,7 @@ C library default allocator5 since version 1.32.0 (2019-01-17)[39]. -```rust +```should_panic fn main() { let mut x = Box::new([0; 1024]); @@ -380,7 +380,7 @@ fn main() { ``` Fig. 11. hello-rust-heap program. -``` +```text $ cargo run Compiling hello-rust-heap v0.1.0 (/home/rcvalle/hello-rust-heap) Finished dev [unoptimized + debuginfo] target(s) in 0.25s @@ -390,7 +390,7 @@ Aborted ``` Fig. 12. Build and execution of hello-rust-heap with debug assertions enabled. -``` +```text $ cargo run --release Compiling hello-rust-heap v0.1.0 (/home/rcvalle/hello-rust-heap) Finished release [optimized] target(s) in 0.25s @@ -456,7 +456,7 @@ class="footnote">6. There is work currently ongoing to add support for the [sanitizers](https://github.com/google/sanitizers)[40], which may or may not include support for LLVM CFI. -``` +```text $ readelf -s target/release/hello-rust | grep __cfi_init ``` Fig. 15. Checking if LLVM CFI is enabled for a given binary. @@ -502,7 +502,7 @@ currently ongoing to add support for the sanitizers[40], which may or may not include support for safe stack7. -``` +```text $ readelf -s target/release/hello-rust | grep __safestack_init ``` Fig. 16. Checking if LLVM SafeStack is enabled for a given binary. From 3b5aa448c0cabd64ed802400f591a15ccb244e53 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Tue, 29 Sep 2020 21:24:27 -0700 Subject: [PATCH 09/23] Remove additional mention of disabling features --- src/doc/rustc/src/exploit-mitigations.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 83a62ef3e8203..a73054ef5b641 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -23,14 +23,15 @@ Furthermore, the Rust code and documentation encourage creating safe abstractions over unsafe code. This can cause a false sense of security if unsafe code is not properly reviewed and tested. -Unsafe Rust disables some of the features that provide memory and thread -safety guarantees. This causes programs or libraries to be susceptible to -memory corruption (CWE-119)[8] and concurrency issues (CWE-557)[9]. Modern C -and C++ compilers provide exploit mitigations to increase the difficulty to -exploit vulnerabilities resulting from these issues. Therefore, the Rust -compiler must also support these exploit mitigations in order to mitigate -vulnerabilities resulting from the use of Unsafe Rust. This chapter is going -to document these exploit mitigations and how they apply to Rust. +Unsafe Rust introduces features that do not provide the same memory and +thread safety guarantees. This causes programs or libraries to be +susceptible to memory corruption (CWE-119)[8] and concurrency issues +(CWE-557)[9]. Modern C and C++ compilers provide exploit mitigations to +increase the difficulty to exploit vulnerabilities resulting from these +issues. Therefore, the Rust compiler must also support these exploit +mitigations in order to mitigate vulnerabilities resulting from the use of +Unsafe Rust. This chapter is going to document these exploit mitigations and +how they apply to Rust. ## Exploit mitigations From 78a4656ae7cdc080e657767b7eda03888be62aed Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Tue, 29 Sep 2020 23:21:50 -0700 Subject: [PATCH 10/23] Add changes from additional copy editing --- src/doc/rustc/src/exploit-mitigations.md | 246 ++++++++++++++++------- 1 file changed, 170 insertions(+), 76 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index a73054ef5b641..cb460630894dc 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -1,8 +1,8 @@ # Exploit Mitigations -This chapter describes exploit mitigations supported by the Rust compiler, -and is by no means an extensive survey of the Rust programming language’s -security features. +This chapter documents the exploit mitigations supported by the Rust +compiler, and is by no means an extensive survey of the Rust programming +language’s security features. This chapter is for software engineers working with the Rust programming language, and assumes prior knowledge of the Rust programming language and @@ -43,7 +43,7 @@ href="#fn:1" class="footnote">1 The Rust Programming Language currently has no specification. The Rust compiler (i.e., rustc) is the language reference implementation. All -references to “the Rust compiler” in this document refer to the language +references to “the Rust compiler” in this chapter refer to the language reference implementation. Table I \ @@ -70,7 +70,7 @@ equivalent. Integer overflow checks - Supported but enabled by default when debug assertions are enabled only. + Yes (enabled when debug assertions are enabled, and disabled when debug assertions are disabled) 1.1.0 (2015-06-25) @@ -104,7 +104,7 @@ equivalent. Yes - 1.32.0 (2019-01-17) via OS default or specified allocator + 1.32.0 (2019-01-17) (via operating system default or specified allocator) @@ -148,8 +148,8 @@ instructing the dynamic linker to load it similarly to a shared object at a random load address, thus also benefiting from address-space layout randomization (ASLR). This is also referred to as “full ASLR”. -The Rust compiler supports position-independent executable and enables it by -default since version 0.12.0 (2014-10-09)[10]–[13]. +The Rust compiler supports position-independent executable, and enables it +by default since version 0.12.0 (2014-10-09)[10]–[13]. ```text $ readelf -h target/release/hello-rust | grep Type: @@ -188,7 +188,8 @@ $ cargo run thread 'main' panicked at 'attempt to add with overflow', src/main.rs:3:23 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace. ``` -Fig. 3. Build and execution of hello-rust-integer with debug assertions enabled. +Fig. 3. Build and execution of hello-rust-integer with debug assertions +enabled. ```text $ cargo run --release @@ -197,7 +198,8 @@ $ cargo run --release Running `target/release/hello-rust-integer` u: 0 ``` -Fig. 4. Build and execution of hello-rust-integer with debug assertions disabled. +Fig. 4. Build and execution of hello-rust-integer with debug assertions +disabled. Integer overflow checks are enabled when debug assertions are enabled (see Fig. 3), and disabled when debug assertions are disabled (see Fig. 4). To @@ -222,7 +224,7 @@ Non-executable memory regions increase the difficulty of exploitation by limiting the memory regions that can be used to execute arbitrary code. Most modern processors provide support for the operating system to mark memory regions as non executable, but it was previously emulated by software, such -as in grsecurity/PaX +as in grsecurity/PaX's [PAGEEXEC](https://pax.grsecurity.net/docs/pageexec.txt) and [SEGMEXEC](https://pax.grsecurity.net/docs/segmexec.txt), on processors that did not provide support for it. This is also known as “No Execute (NX) Bit”, @@ -238,7 +240,8 @@ $ readelf -l target/release/hello-rust | grep -A 1 GNU_STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 0x10 ``` -Fig. 5. Checking if non-executable memory regions are enabled for a given binary. +Fig. 5. Checking if non-executable memory regions are enabled for a given +binary. The presence of an element of type `PT_GNU_STACK` in the program header table with the `PF_X` (i.e., executable) flag unset indicates non-executable @@ -266,7 +269,8 @@ The Rust compiler supports stack clashing protection via stack probing, and enables it by default since version 1.20.0 (2017-08-31)[26]–[29]. ![Screenshot of IDA Pro listing cross references to __rust_probestack in hello-rust.](images/image1.png "Cross references to __rust_probestack in hello-rust.") -Fig. 6. IDA Pro listing cross references to `__rust_probestack` in hello-rust. +Fig. 6. IDA Pro listing cross references to `__rust_probestack` in +hello-rust. ```rust fn hello() { @@ -281,7 +285,8 @@ fn main() { Fig 7. Modified hello-rust. ![Screenshot of IDA Pro listing cross references to __rust_probestack in modified hello-rust.](images/image2.png "Cross references to __rust_probestack in modified hello-rust.") -Fig. 8. IDA Pro listing cross references to `__rust_probestack` in modified hello-rust. +Fig. 8. IDA Pro listing cross references to `__rust_probestack` in modified +hello-rust. To check if stack clashing protection is enabled for a given binary, search for cross references to `__rust_probestack`. The `__rust_probestack` is @@ -315,9 +320,9 @@ given binary. **Immediate binding** protects additional segments containing relocations (i.e., `.got.plt`) from being overwritten by instructing the dynamic linker to perform all relocations before transferring control to the program during -startup so all segments containing relocations can be marked read only (when -combined with read-only relocations). This is also referred to as “full -RELRO”. +startup, so all segments containing relocations can be marked read only +(when combined with read-only relocations). This is also referred to as +“full RELRO”. The Rust compiler supports immediate binding, and enables it by default since version 1.21.0 (2017-10-12)[30], [31]. @@ -351,13 +356,13 @@ Heap corruption protection protects memory allocated dynamically by performing several checks, such as checks for corrupted links between list elements, invalid pointers, invalid sizes, double/multiple “frees” of the same memory allocated, and many corner cases of these. These checks are -implementation specific and vary per allocator. +implementation specific, and vary per allocator. -Newer ARM-based processors will provide hardware assistance to detect memory -safety violations by tagging memory allocations, and automatically checking -that the correct tag is used upon every memory access, namely [ARM Memory -Tagging Extension -(MTE)](https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety). +Newer ARM-based processors will provide hardware assistance (i.e., [ARM +Memory Tagging Extension +[MTE]](https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety)) +to detect memory safety violations by tagging memory allocations, and +automatically checking that the correct tag is used on every memory access. Rust’s default allocator has historically been [jemalloc](http://jemalloc.net/), and it has long been the cause of issues @@ -389,7 +394,8 @@ $ cargo run free(): invalid next size (normal) Aborted ``` -Fig. 12. Build and execution of hello-rust-heap with debug assertions enabled. +Fig. 12. Build and execution of hello-rust-heap with debug assertions +enabled. ```text $ cargo run --release @@ -399,7 +405,8 @@ $ cargo run --release free(): invalid next size (normal) Aborted ``` -Fig. 13. Build and execution of hello-rust-heap with debug assertions disabled. +Fig. 13. Build and execution of hello-rust-heap with debug assertions +disabled. Heap corruption checks are being performed when using the default allocator (i.e., the GNU Allocator) as seen in Fig. 12 and Fig. 13. @@ -421,10 +428,11 @@ when returning from a function. This is also known as “Stack Protector” or The Rust compiler does not support stack smashing protection. However, more comprehensive alternatives to stack smashing protection exist, such as -shadow and safe stack (see Backward-edge control flow protection). +shadow and safe stack (see backward-edge control flow protection). ![Screenshot of IDA Pro listing cross references to __stack_chk_fail in hello-rust.](images/image3.png "Cross references to __stack_chk_fail in hello-rust.") -Fig. 14. IDA Pro listing cross references to `__stack_chk_fail` in hello-rust. +Fig. 14. IDA Pro listing cross references to `__stack_chk_fail` in +hello-rust. To check if stack smashing protection is enabled for a given binary, search for cross references to `__stack_chk_fail`. The only cross references to @@ -477,12 +485,12 @@ class="reversefootnote" role="doc-backlink">↩ **Shadow stack** protects saved return instruction pointers from being overwritten by storing a copy of them on a separate (shadow) stack, and -using these copies as the authoritative values when returning from -functions. This is also known as “ShadowCallStack” and “Return Flow Guard”, -and is considered an implementation of backward-edge control flow protection -(or “backward-edge CFI”). +using these copies as authoritative values when returning from functions. +This is also known as “ShadowCallStack” and “Return Flow Guard”, and is +considered an implementation of backward-edge control flow protection (or +“backward-edge CFI”). -**Safe stack** protects not only the saved return instruction pointers but +**Safe stack** protects not only the saved return instruction pointers, but also register spills and some local variables from being overwritten by storing unsafe variables, such as large arrays, on a separate (unsafe) stack, and using these unsafe variables on the separate stack instead. This @@ -495,7 +503,7 @@ instruction pointers (and other data in the case of safe stack) from arbitrary writes and non-linear out-of-bounds writes. Newer processors provide hardware assistance for backward-edge control flow -protection, such as ARM Pointer Authentication and Intel Shadow Stack as +protection, such as ARM Pointer Authentication, and Intel Shadow Stack as part of Intel CET. The Rust compiler does not support shadow or safe stack. There is work @@ -528,16 +536,16 @@ executable, and the absence of this header indicates that the stack should be executable. However, the Linux kernel currently sets the `READ_IMPLIES_EXEC` personality upon loading any executable with the `PT_GNU_STACK` program header and the `PF_X `flag set or with the absence of -this header, resulting in not only the stack but also all readable virtual +this header, resulting in not only the stack, but also all readable virtual memory mappings being executable. An attempt to fix this [was made in 2012](https://lore.kernel.org/lkml/f298f914-2239-44e4-8aa1-a51282e7fac0@zmail15.collab.prod.int.phx2.redhat.com/), and another [was made in 2020](https://lore.kernel.org/kernel-hardening/20200327064820.12602-1-keescook@chromium.org/). -The former never landed, and the latter partially fixed it but introduced +The former never landed, and the latter partially fixed it, but introduced other issues—the absence of the `PT_GNU_STACK` program header still causes -not only the stack but also all readable virtual memory mappings to be +not only the stack, but also all readable virtual memory mappings to be executable in some architectures, such as IA-32 and equivalent (or causes the stack to be non-executable in some architectures, such as AMD64 and equivalent, contradicting the LSB). @@ -551,43 +559,129 @@ defaults (unrelated to `READ_IMPLIES_EXEC`). ## References -1. D. Hosfelt. “Fearless security: memory safety.” Mozilla Hacks. . -2. D. Hosfelt. “Fearless security: thread safety.” Mozilla Hacks. . -3. S. Klabnik and C. Nichols. “What Is Ownership?.” The Rust Programming Language. . -4. S. Klabnik and C. Nichols. “References and Borrowing.” The Rust Programming Language. . -5. S. Klabnik and C. Nichols. “The Slice Type.” The Rust Programming Language. . -6. S. Klabnik and C. Nichols. “Unsafe Rust.” The Rust Programming Language. . -7. S. Davidoff. “How Rust’s standard library was vulnerable for years and nobody noticed.” Medium. . -8. “Improper restriction of operations within the bounds of a memory buffer (CWE-119).” MITRE CWE List. . -9. “Concurrency issues (CWE-557).” MITRE CWE List. . -10. K. McAllister. “Memory exploit mitigations #15179.” GitHub. . -11. K. McAllister. “RFC: Memory exploit mitigation #145.” GitHub. . -12. K. McAllister. “RFC: Memory exploit mitigation.” GitHub. . -13. D. Micay. “Enable PIE by default on Linux for full ASLR #16340.” GitHub. . -14. N. Matsakis. “Integer overflow #560.” GitHub. . -15. G. Lehel and N. Matsakis. “Integer overflow.” GitHub. . -16. A. Turon. “Tracking issue for integer overflow (RFC 560) #22020.” GitHub. . -17. H. Wilson. “Myths and legends about integer overflow in Rust.” Huon on the Internet. . -18. B. Anderson. “Stabilize -C overflow-checks #1535.” GitHub. . -19. B. Anderson. “Stable overflow checks.” GitHub. . -20. N. Froyd. “Add -C overflow-checks option #40037.” GitHub. . -21. R. Á. de Espíndola. “rustc requires executable stack #798.” GitHub. . -22. A. Seipp. “Make sure librustrt.so is linked with a non-executable stack. #1066.” GitHub. . -23. D. Micay. “Rust binaries should not have an executable stack #5643.” GitHub. . -24. D. Micay. “Mark the assembly object stacks as non-executable #5647.” GitHub. . -25. A. Clark. “Explicitly disable stack execution on linux and bsd #30859.” GitHub. . -26. “Replace stack overflow checking with stack probes #16012.” GitHub. . -27. B. Striegel. “Extend stack probe support to non-tier-1 platforms, and clarify policy for mitigating LLVM-dependent unsafety #43241.” GitHub. . -28. A. Crichton. “rustc: Implement stack probes for x86 #42816.” GitHub. . -29. A. Crichton. “Add \_\_rust\_probestack intrinsic #175.” GitHub. . -30. B. Anderson. “Consider applying -Wl,-z,relro or -Wl,-z,relro,-z,now by default #29877.” GitHub. . -31. J. Löthberg. “Add support for full RELRO #43170.” GitHub. . -32. N. Matsakis. “Allocators in Rust.” Baby Steps. . -33. A. Crichton. “RFC: Allow changing the default allocator #1183.” GitHub. . -34. A. Crichton. “RFC: Swap out jemalloc.” GitHub. . -35. A. Crichton. “Tracking issue for changing the global, default allocator (RFC 1974) #27389.” GitHub. . -36. S. Fackler. “Prepare global allocators for stabilization #1974.” GitHub. . -37. A. Crichton. “RFC: Global allocators.” GitHub. . -38. B. Anderson. “Switch the default global allocator to System, remove alloc\_jemalloc, use jemallocator in rustc #36963.” GitHub. . -39. A. Crichton. “Remove the alloc\_jemalloc crate #55238.” GitHub. . -40. J. Aparicio. 2017. “Tracking issue for sanitizer support #39699.” . +1. D. Hosfelt. “Fearless security: memory safety.” Mozilla Hacks. + . + +2. D. Hosfelt. “Fearless security: thread safety.” Mozilla Hacks. + . + +3. S. Klabnik and C. Nichols. “What Is Ownership?.” The Rust Programming + Language. . + +4. S. Klabnik and C. Nichols. “References and Borrowing.” The Rust + Programming Language. + . + +5. S. Klabnik and C. Nichols. “The Slice Type.” The Rust Programming + Language. . + +6. S. Klabnik and C. Nichols. “Unsafe Rust.” The Rust Programming Language. + . + +7. S. Davidoff. “How Rust’s standard library was vulnerable for years and + nobody noticed.” Medium. + . + +8. “Improper restriction of operations within the bounds of a memory buffer + (CWE-119).” MITRE CWE List. + . + +9. “Concurrency issues (CWE-557).” MITRE CWE List. + . + +10. K. McAllister. “Memory exploit mitigations #15179.” GitHub. + . + +11. K. McAllister. “RFC: Memory exploit mitigation #145.” GitHub. + . + +12. K. McAllister. “RFC: Memory exploit mitigation.” GitHub. + . + +13. D. Micay. “Enable PIE by default on Linux for full ASLR #16340.” GitHub. + . + +14. N. Matsakis. “Integer overflow #560.” GitHub. + . + +15. G. Lehel and N. Matsakis. “Integer overflow.” GitHub. + . + +16. A. Turon. “Tracking issue for integer overflow (RFC 560) #22020.” + GitHub. . + +17. H. Wilson. “Myths and legends about integer overflow in Rust.” Huon on + the Internet. + . + +18. B. Anderson. “Stabilize -C overflow-checks #1535.” GitHub. + . + +19. B. Anderson. “Stable overflow checks.” GitHub. + . + +20. N. Froyd. “Add -C overflow-checks option #40037.” GitHub. + . + +21. R. Á. de Espíndola. “rustc requires executable stack #798.” GitHub. + . + +22. A. Seipp. “Make sure librustrt.so is linked with a non-executable stack. + #1066.” GitHub. . + +23. D. Micay. “Rust binaries should not have an executable stack #5643.” + GitHub. . + +24. D. Micay. “Mark the assembly object stacks as non-executable #5647.” + GitHub. . + +25. A. Clark. “Explicitly disable stack execution on linux and bsd #30859.” + GitHub. . + +26. “Replace stack overflow checking with stack probes #16012.” GitHub. + . + +27. B. Striegel. “Extend stack probe support to non-tier-1 platforms, and + clarify policy for mitigating LLVM-dependent unsafety #43241.” GitHub. + . + +28. A. Crichton. “rustc: Implement stack probes for x86 #42816.” GitHub. + . + +29. A. Crichton. “Add \_\_rust\_probestack intrinsic #175.” GitHub. + . + +30. B. Anderson. “Consider applying -Wl,-z,relro or -Wl,-z,relro,-z,now by + default #29877.” GitHub. . + +31. J. Löthberg. “Add support for full RELRO #43170.” GitHub. + . + +32. N. Matsakis. “Allocators in Rust.” Baby Steps. + . + +33. A. Crichton. “RFC: Allow changing the default allocator #1183.” GitHub. + . + +34. A. Crichton. “RFC: Swap out jemalloc.” GitHub. + . + +35. A. Crichton. “Tracking issue for changing the global, default allocator + (RFC 1974) #27389.” GitHub. + . + +36. S. Fackler. “Prepare global allocators for stabilization #1974.” GitHub. + . + +37. A. Crichton. “RFC: Global allocators.” GitHub. + . + +38. B. Anderson. “Switch the default global allocator to System, remove + alloc\_jemalloc, use jemallocator in rustc #36963.” GitHub. + . + +39. A. Crichton. “Remove the alloc\_jemalloc crate #55238.” GitHub. + . + +40. J. Aparicio. 2017. “Tracking issue for sanitizer support #39699.” + . From 410fc0e3db32daf18704885ddf91567345bbce63 Mon Sep 17 00:00:00 2001 From: Yuki Okushi Date: Sun, 11 Oct 2020 07:39:47 +0900 Subject: [PATCH 11/23] Do not provide suggestions for non standard characters --- compiler/rustc_lint/src/nonstandard_style.rs | 54 ++++++++++++------- src/test/ui/lint/special-upper-lower-cases.rs | 24 +++++++++ .../ui/lint/special-upper-lower-cases.stderr | 32 +++++++++++ 3 files changed, 91 insertions(+), 19 deletions(-) create mode 100644 src/test/ui/lint/special-upper-lower-cases.rs create mode 100644 src/test/ui/lint/special-upper-lower-cases.stderr diff --git a/compiler/rustc_lint/src/nonstandard_style.rs b/compiler/rustc_lint/src/nonstandard_style.rs index b3125f55d4d6e..080bb2c4f345c 100644 --- a/compiler/rustc_lint/src/nonstandard_style.rs +++ b/compiler/rustc_lint/src/nonstandard_style.rs @@ -127,14 +127,20 @@ impl NonCamelCaseTypes { if !is_camel_case(name) { cx.struct_span_lint(NON_CAMEL_CASE_TYPES, ident.span, |lint| { let msg = format!("{} `{}` should have an upper camel case name", sort, name); - lint.build(&msg) - .span_suggestion( + let mut err = lint.build(&msg); + let cc = to_camel_case(name); + // We cannot provide meaningful suggestions + // if the characters are in the category of "Lowercase Letter". + if name.to_string() != cc { + err.span_suggestion( ident.span, "convert the identifier to upper camel case", to_camel_case(name), Applicability::MaybeIncorrect, - ) - .emit() + ); + } + + err.emit(); }) } } @@ -263,17 +269,21 @@ impl NonSnakeCase { let sc = NonSnakeCase::to_snake_case(name); let msg = format!("{} `{}` should have a snake case name", sort, name); let mut err = lint.build(&msg); - // We have a valid span in almost all cases, but we don't have one when linting a crate - // name provided via the command line. - if !ident.span.is_dummy() { - err.span_suggestion( - ident.span, - "convert the identifier to snake case", - sc, - Applicability::MaybeIncorrect, - ); - } else { - err.help(&format!("convert the identifier to snake case: `{}`", sc)); + // We cannot provide meaningful suggestions + // if the characters are in the category of "Uppercase Letter". + if name.to_string() != sc { + // We have a valid span in almost all cases, but we don't have one when linting a crate + // name provided via the command line. + if !ident.span.is_dummy() { + err.span_suggestion( + ident.span, + "convert the identifier to snake case", + sc, + Applicability::MaybeIncorrect, + ); + } else { + err.help(&format!("convert the identifier to snake case: `{}`", sc)); + } } err.emit(); @@ -441,14 +451,20 @@ impl NonUpperCaseGlobals { if name.chars().any(|c| c.is_lowercase()) { cx.struct_span_lint(NON_UPPER_CASE_GLOBALS, ident.span, |lint| { let uc = NonSnakeCase::to_snake_case(&name).to_uppercase(); - lint.build(&format!("{} `{}` should have an upper case name", sort, name)) - .span_suggestion( + let mut err = + lint.build(&format!("{} `{}` should have an upper case name", sort, name)); + // We cannot provide meaningful suggestions + // if the characters are in the category of "Lowercase Letter". + if name.to_string() != uc { + err.span_suggestion( ident.span, "convert the identifier to upper case", uc, Applicability::MaybeIncorrect, - ) - .emit(); + ); + } + + err.emit(); }) } } diff --git a/src/test/ui/lint/special-upper-lower-cases.rs b/src/test/ui/lint/special-upper-lower-cases.rs new file mode 100644 index 0000000000000..71ebf05dd31ab --- /dev/null +++ b/src/test/ui/lint/special-upper-lower-cases.rs @@ -0,0 +1,24 @@ +// (#77273) These characters are in the general categories of +// "Uppercase/Lowercase Letter". +// The diagnostics don't provide meaningful suggestions for them +// as we cannot convert them properly. + +// check-pass + +#![feature(non_ascii_idents)] +#![allow(uncommon_codepoints, unused)] + +struct 𝕟𝕠𝕥𝕒𝕔𝕒𝕞𝕖𝕝; +//~^ WARN: type `𝕟𝕠𝕥𝕒𝕔𝕒𝕞𝕖𝕝` should have an upper camel case name + +// FIXME: How we should handle this? +struct 𝕟𝕠𝕥_𝕒_𝕔𝕒𝕞𝕖𝕝; +//~^ WARN: type `𝕟𝕠𝕥_𝕒_𝕔𝕒𝕞𝕖𝕝` should have an upper camel case name + +static 𝗻𝗼𝗻𝘂𝗽𝗽𝗲𝗿𝗰𝗮𝘀𝗲: i32 = 1; +//~^ WARN: static variable `𝗻𝗼𝗻𝘂𝗽𝗽𝗲𝗿𝗰𝗮𝘀𝗲` should have an upper case name + +fn main() { + let 𝓢𝓝𝓐𝓐𝓐𝓐𝓚𝓔𝓢 = 1; + //~^ WARN: variable `𝓢𝓝𝓐𝓐𝓐𝓐𝓚𝓔𝓢` should have a snake case name +} diff --git a/src/test/ui/lint/special-upper-lower-cases.stderr b/src/test/ui/lint/special-upper-lower-cases.stderr new file mode 100644 index 0000000000000..f32193a2e4a47 --- /dev/null +++ b/src/test/ui/lint/special-upper-lower-cases.stderr @@ -0,0 +1,32 @@ +warning: type `𝕟𝕠𝕥𝕒𝕔𝕒𝕞𝕖𝕝` should have an upper camel case name + --> $DIR/special-upper-lower-cases.rs:11:8 + | +LL | struct 𝕟𝕠𝕥𝕒𝕔𝕒𝕞𝕖𝕝; + | ^^^^^^^^^ + | + = note: `#[warn(non_camel_case_types)]` on by default + +warning: type `𝕟𝕠𝕥_𝕒_𝕔𝕒𝕞𝕖𝕝` should have an upper camel case name + --> $DIR/special-upper-lower-cases.rs:15:8 + | +LL | struct 𝕟𝕠𝕥_𝕒_𝕔𝕒𝕞𝕖𝕝; + | ^^^^^^^^^^^ help: convert the identifier to upper camel case: `𝕟𝕠𝕥𝕒𝕔𝕒𝕞𝕖𝕝` + +warning: static variable `𝗻𝗼𝗻𝘂𝗽𝗽𝗲𝗿𝗰𝗮𝘀𝗲` should have an upper case name + --> $DIR/special-upper-lower-cases.rs:18:8 + | +LL | static 𝗻𝗼𝗻𝘂𝗽𝗽𝗲𝗿𝗰𝗮𝘀𝗲: i32 = 1; + | ^^^^^^^^^^^^ + | + = note: `#[warn(non_upper_case_globals)]` on by default + +warning: variable `𝓢𝓝𝓐𝓐𝓐𝓐𝓚𝓔𝓢` should have a snake case name + --> $DIR/special-upper-lower-cases.rs:22:9 + | +LL | let 𝓢𝓝𝓐𝓐𝓐𝓐𝓚𝓔𝓢 = 1; + | ^^^^^^^^^ + | + = note: `#[warn(non_snake_case)]` on by default + +warning: 4 warnings emitted + From c555aabc5b7df5ccb88c15b7b94f73f5b40d116c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 12 Oct 2020 10:08:25 +0200 Subject: [PATCH 12/23] clarify rules for ZST Boxes --- library/alloc/src/boxed.rs | 9 +++++++++ library/core/src/ptr/mod.rs | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/library/alloc/src/boxed.rs b/library/alloc/src/boxed.rs index 5c8c2c5a5a868..c543ee2d0c581 100644 --- a/library/alloc/src/boxed.rs +++ b/library/alloc/src/boxed.rs @@ -62,6 +62,11 @@ //! T` obtained from [`Box::::into_raw`] may be deallocated using the //! [`Global`] allocator with [`Layout::for_value(&*value)`]. //! +//! For zero-sized values, the `Box` pointer still has to be [valid] for reads and writes and +//! sufficiently aligned. In particular, casting any aligned non-zero integer to a raw pointer +//! produces a valid pointer, but a pointer pointing into previously allocated memory that since got +//! freed is not valid. +//! //! So long as `T: Sized`, a `Box` is guaranteed to be represented //! as a single pointer and is also ABI-compatible with C pointers //! (i.e. the C type `T*`). This means that if you have extern "C" @@ -125,6 +130,7 @@ //! [`Global`]: crate::alloc::Global //! [`Layout`]: crate::alloc::Layout //! [`Layout::for_value(&*value)`]: crate::alloc::Layout::for_value +//! [valid]: ptr#safety #![stable(feature = "rust1", since = "1.0.0")] @@ -385,7 +391,10 @@ impl Box { /// memory problems. For example, a double-free may occur if the /// function is called twice on the same raw pointer. /// + /// The safety conditions are described in the [memory layout] section. + /// /// # Examples + /// /// Recreate a `Box` which was previously converted to a raw pointer /// using [`Box::into_raw`]: /// ``` diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 92c4f2ccfe8a0..453621d9eadff 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -16,12 +16,15 @@ //! provided at this point are very minimal: //! //! * A [null] pointer is *never* valid, not even for accesses of [size zero][zst]. -//! * All pointers (except for the null pointer) are valid for all operations of -//! [size zero][zst]. //! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer //! be *dereferenceable*: the memory range of the given size starting at the pointer must all be //! within the bounds of a single allocated object. Note that in Rust, //! every (stack-allocated) variable is considered a separate allocated object. +//! * Even for operations of [size zero][zst], the pointer must not be "dangling" in the sense of +//! pointing to deallocated memory. However, casting any non-zero integer to a pointer is valid +//! for zero-sized accesses. This corresponds to writing your own allocator; allocating zero-sized +//! objects is not very hard. In contrast, when you use the standard allocator, after memory got +//! deallocated, even zero-sized accesses to that memory are invalid. //! * All accesses performed by functions in this module are *non-atomic* in the sense //! of [atomic operations] used to synchronize between threads. This means it is //! undefined behavior to perform two concurrent accesses to the same location from different From 0f572a9810e2c54b7067641583a5527acff6cae5 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 13 Oct 2020 09:30:09 +0200 Subject: [PATCH 13/23] explicitly talk about integer literals --- library/alloc/src/boxed.rs | 6 +++--- library/core/src/ptr/mod.rs | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/alloc/src/boxed.rs b/library/alloc/src/boxed.rs index c543ee2d0c581..7fd91aba321c5 100644 --- a/library/alloc/src/boxed.rs +++ b/library/alloc/src/boxed.rs @@ -63,9 +63,9 @@ //! [`Global`] allocator with [`Layout::for_value(&*value)`]. //! //! For zero-sized values, the `Box` pointer still has to be [valid] for reads and writes and -//! sufficiently aligned. In particular, casting any aligned non-zero integer to a raw pointer -//! produces a valid pointer, but a pointer pointing into previously allocated memory that since got -//! freed is not valid. +//! sufficiently aligned. In particular, casting any aligned non-zero integer literal to a raw +//! pointer produces a valid pointer, but a pointer pointing into previously allocated memory that +//! since got freed is not valid. //! //! So long as `T: Sized`, a `Box` is guaranteed to be represented //! as a single pointer and is also ABI-compatible with C pointers diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 453621d9eadff..243346a429a99 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -21,10 +21,10 @@ //! within the bounds of a single allocated object. Note that in Rust, //! every (stack-allocated) variable is considered a separate allocated object. //! * Even for operations of [size zero][zst], the pointer must not be "dangling" in the sense of -//! pointing to deallocated memory. However, casting any non-zero integer to a pointer is valid -//! for zero-sized accesses. This corresponds to writing your own allocator; allocating zero-sized -//! objects is not very hard. In contrast, when you use the standard allocator, after memory got -//! deallocated, even zero-sized accesses to that memory are invalid. +//! pointing to deallocated memory. However, casting any non-zero integer literal to a pointer is +//! valid for zero-sized accesses. This corresponds to writing your own allocator; allocating +//! zero-sized objects is not very hard. In contrast, when you use the standard allocator, after +//! memory got deallocated, even zero-sized accesses to that memory are invalid. //! * All accesses performed by functions in this module are *non-atomic* in the sense //! of [atomic operations] used to synchronize between threads. This means it is //! undefined behavior to perform two concurrent accesses to the same location from different From 28df283b03338740f081fa5c06ad9c7081e10084 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Wed, 14 Oct 2020 18:29:32 -0700 Subject: [PATCH 14/23] Add paragraph about not discussing effectiveness --- src/doc/rustc/src/exploit-mitigations.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index cb460630894dc..748757658442a 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -33,6 +33,11 @@ mitigations in order to mitigate vulnerabilities resulting from the use of Unsafe Rust. This chapter is going to document these exploit mitigations and how they apply to Rust. +This chapter does not discuss the effectiveness of these exploit mitigations +as they vary greatly depending on several factors besides their design and +implementation, but rather describe what they do, so their effectiveness can +be understood within a given context. + ## Exploit mitigations From d97746496065736700f1e54373b2021fa578e99f Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Wed, 14 Oct 2020 18:35:26 -0700 Subject: [PATCH 15/23] Rephrase paragraph about ARM MTE --- src/doc/rustc/src/exploit-mitigations.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 748757658442a..2c6e3e6f2014a 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -363,11 +363,12 @@ elements, invalid pointers, invalid sizes, double/multiple “frees” of the same memory allocated, and many corner cases of these. These checks are implementation specific, and vary per allocator. -Newer ARM-based processors will provide hardware assistance (i.e., [ARM -Memory Tagging Extension -[MTE]](https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety)) -to detect memory safety violations by tagging memory allocations, and -automatically checking that the correct tag is used on every memory access. +[ARM Memory Tagging Extension +(MTE)](https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety), +when available, will provide hardware assistance for a probabilistic +mitigation to detect memory safety violations by tagging memory allocations, +and automatically checking that the correct tag is used on every memory +access. Rust’s default allocator has historically been [jemalloc](http://jemalloc.net/), and it has long been the cause of issues From 9999616790763895e1c5e8e57f08cea63de7b0f6 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Thu, 29 Oct 2020 23:41:51 -0700 Subject: [PATCH 16/23] Remove deadwood from sentence --- src/doc/rustc/src/exploit-mitigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md index 2c6e3e6f2014a..5e23b91193f88 100644 --- a/src/doc/rustc/src/exploit-mitigations.md +++ b/src/doc/rustc/src/exploit-mitigations.md @@ -30,8 +30,8 @@ susceptible to memory corruption (CWE-119)[8] and concurrency issues increase the difficulty to exploit vulnerabilities resulting from these issues. Therefore, the Rust compiler must also support these exploit mitigations in order to mitigate vulnerabilities resulting from the use of -Unsafe Rust. This chapter is going to document these exploit mitigations and -how they apply to Rust. +Unsafe Rust. This chapter documents these exploit mitigations and how they +apply to Rust. This chapter does not discuss the effectiveness of these exploit mitigations as they vary greatly depending on several factors besides their design and From 5f0856804292a6f4b73cb0f5771877657d8f6af8 Mon Sep 17 00:00:00 2001 From: Josh Stone Date: Mon, 16 Nov 2020 14:08:21 -0800 Subject: [PATCH 17/23] x.py: allow a custom string appended to the version This adds `rust.description` to the config as a descriptive string to be appended to `rustc --version` output, which is also used in places like debuginfo `DW_AT_producer`. This may be useful for supplementary build information, like distro-specific package versions. For example, in Fedora 33, `gcc --version` outputs: gcc (GCC) 10.2.1 20201016 (Red Hat 10.2.1-6) With this change, we can add similar vendor info to `rustc --version`. --- config.toml.example | 5 +++++ src/bootstrap/config.rs | 3 +++ src/bootstrap/configure.py | 1 + src/bootstrap/lib.rs | 8 +++++++- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/config.toml.example b/config.toml.example index c9e183887504c..5b045d4e32d8d 100644 --- a/config.toml.example +++ b/config.toml.example @@ -446,6 +446,11 @@ changelog-seen = 2 # nightly features #channel = "dev" +# A descriptive string to be appended to `rustc --version` output, which is +# also used in places like debuginfo `DW_AT_producer`. This may be useful for +# supplementary build information, like distro-specific package versions. +#description = "" + # The root location of the musl installation directory. #musl-root = "..." diff --git a/src/bootstrap/config.rs b/src/bootstrap/config.rs index 94319a6d1e9e2..b8ec666ff95a5 100644 --- a/src/bootstrap/config.rs +++ b/src/bootstrap/config.rs @@ -152,6 +152,7 @@ pub struct Config { // misc pub low_priority: bool, pub channel: String, + pub description: Option, pub verbose_tests: bool, pub save_toolstates: Option, pub print_step_timings: bool, @@ -470,6 +471,7 @@ struct Rust { parallel_compiler: Option, default_linker: Option, channel: Option, + description: Option, musl_root: Option, rpath: Option, verbose_tests: Option, @@ -841,6 +843,7 @@ impl Config { .map(|v| v.parse().expect("failed to parse rust.llvm-libunwind")); set(&mut config.backtrace, rust.backtrace); set(&mut config.channel, rust.channel); + config.description = rust.description; set(&mut config.rust_dist_src, rust.dist_src); set(&mut config.verbose_tests, rust.verbose_tests); // in the case "false" is set explicitly, do not overwrite the command line args diff --git a/src/bootstrap/configure.py b/src/bootstrap/configure.py index 322e9d6923295..42f00ce962174 100755 --- a/src/bootstrap/configure.py +++ b/src/bootstrap/configure.py @@ -146,6 +146,7 @@ def v(*args): v("experimental-targets", "llvm.experimental-targets", "experimental LLVM targets to build") v("release-channel", "rust.channel", "the name of the release channel to build") +v("release-description", "rust.description", "optional descriptive string for version output") # Used on systems where "cc" is unavailable v("default-linker", "rust.default-linker", "the default linker") diff --git a/src/bootstrap/lib.rs b/src/bootstrap/lib.rs index ca140b9d27828..06ccd72186dd1 100644 --- a/src/bootstrap/lib.rs +++ b/src/bootstrap/lib.rs @@ -1082,7 +1082,13 @@ impl Build { /// Note that this is a descriptive string which includes the commit date, /// sha, version, etc. fn rust_version(&self) -> String { - self.rust_info.version(self, &self.version) + let mut version = self.rust_info.version(self, &self.version); + if let Some(ref s) = self.config.description { + version.push_str(" ("); + version.push_str(s); + version.push_str(")"); + } + version } /// Returns the full commit hash. From a7677f77146bd69b26b5fb5eaa8f88ac080ff347 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Fri, 20 Nov 2020 10:25:59 +0100 Subject: [PATCH 18/23] reference NonNull::dangling --- library/alloc/src/boxed.rs | 10 ++++++---- library/core/src/ptr/mod.rs | 11 ++++++----- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/library/alloc/src/boxed.rs b/library/alloc/src/boxed.rs index 7fd91aba321c5..9676572e45d3a 100644 --- a/library/alloc/src/boxed.rs +++ b/library/alloc/src/boxed.rs @@ -62,10 +62,12 @@ //! T` obtained from [`Box::::into_raw`] may be deallocated using the //! [`Global`] allocator with [`Layout::for_value(&*value)`]. //! -//! For zero-sized values, the `Box` pointer still has to be [valid] for reads and writes and -//! sufficiently aligned. In particular, casting any aligned non-zero integer literal to a raw -//! pointer produces a valid pointer, but a pointer pointing into previously allocated memory that -//! since got freed is not valid. +//! For zero-sized values, the `Box` pointer still has to be [valid] for reads +//! and writes and sufficiently aligned. In particular, casting any aligned +//! non-zero integer literal to a raw pointer produces a valid pointer, but a +//! pointer pointing into previously allocated memory that since got freed is +//! not valid. The recommended way to build a Box to a ZST if `Box::new` cannot +//! be used is to use [`ptr::NonNull::dangling`]. //! //! So long as `T: Sized`, a `Box` is guaranteed to be represented //! as a single pointer and is also ABI-compatible with C pointers diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 243346a429a99..6544dd4fd7a5e 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -20,11 +20,12 @@ //! be *dereferenceable*: the memory range of the given size starting at the pointer must all be //! within the bounds of a single allocated object. Note that in Rust, //! every (stack-allocated) variable is considered a separate allocated object. -//! * Even for operations of [size zero][zst], the pointer must not be "dangling" in the sense of -//! pointing to deallocated memory. However, casting any non-zero integer literal to a pointer is -//! valid for zero-sized accesses. This corresponds to writing your own allocator; allocating -//! zero-sized objects is not very hard. In contrast, when you use the standard allocator, after -//! memory got deallocated, even zero-sized accesses to that memory are invalid. +//! * Even for operations of [size zero][zst], the pointer must not be pointing to deallocated +//! memory, i.e., deallocation makes pointers invalid even for zero-sized operations. However, +//! casting any non-zero integer *literal* to a pointer is valid for zero-sized accesses, even if +//! some memory happens to exist at that address and gets deallocated. This corresponds to writing +//! your own allocator: allocating zero-sized objects is not very hard. The canonical way to +//! obtain a pointer that is valid for zero-sized accesses is [`NonNull::dangling`]. //! * All accesses performed by functions in this module are *non-atomic* in the sense //! of [atomic operations] used to synchronize between threads. This means it is //! undefined behavior to perform two concurrent accesses to the same location from different From a64d0d4774db30bd37ec2ede87e966dcdd33dfc2 Mon Sep 17 00:00:00 2001 From: Yoshua Wuyts Date: Fri, 20 Nov 2020 01:42:43 +0100 Subject: [PATCH 19/23] Add `core::slice::fill_with` --- library/core/src/slice/mod.rs | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/library/core/src/slice/mod.rs b/library/core/src/slice/mod.rs index 79ae1d5829a24..a8f199e17a804 100644 --- a/library/core/src/slice/mod.rs +++ b/library/core/src/slice/mod.rs @@ -2599,6 +2599,34 @@ impl [T] { } } + /// Fills `self` with elements returned by calling a closure repeatedly. + /// + /// This method uses a closure to create new values. If you'd rather + /// [`Clone`] a given value, use [`fill`]. If you want to use the [`Default`] + /// trait to generate values, you can pass [`Default::default`] as the + /// argument. + /// + /// [`fill`]: #method.fill + /// + /// # Examples + /// + /// ``` + /// #![feature(slice_fill_with)] + /// + /// let mut buf = vec![1; 10]; + /// buf.fill_with(Default::default); + /// assert_eq!(buf, vec![0; 10]); + /// ``` + #[unstable(feature = "slice_fill_with", issue = "79221")] + pub fn fill_with(&mut self, mut f: F) + where + F: FnMut() -> T, + { + for el in self { + *el = f(); + } + } + /// Copies the elements from `src` into `self`. /// /// The length of `src` must be the same as `self`. From 993bb072ff30a0e6fbc4689ba1639dfdb951888c Mon Sep 17 00:00:00 2001 From: Vadim Petrochenkov Date: Thu, 12 Nov 2020 23:42:42 +0300 Subject: [PATCH 20/23] rustc_expand: Mark inner `#![test]` attributes as soft-unstable --- compiler/rustc_resolve/src/macros.rs | 29 +++++++++---------- library/std/src/num/tests.rs | 6 ++-- .../issue-43106-gating-of-test.rs | 1 + .../issue-43106-gating-of-test.stderr | 2 +- src/test/ui/issues/issue-28134.rs | 1 + src/test/ui/issues/issue-28134.stderr | 2 +- src/test/ui/proc-macro/proc-macro-gates.rs | 5 ++++ .../ui/proc-macro/proc-macro-gates.stderr | 12 +++++++- 8 files changed, 37 insertions(+), 21 deletions(-) diff --git a/compiler/rustc_resolve/src/macros.rs b/compiler/rustc_resolve/src/macros.rs index 1ee96f81e4fab..c8dbe68512857 100644 --- a/compiler/rustc_resolve/src/macros.rs +++ b/compiler/rustc_resolve/src/macros.rs @@ -22,7 +22,7 @@ use rustc_hir::def::{self, DefKind, NonMacroAttrKind}; use rustc_hir::def_id; use rustc_middle::middle::stability; use rustc_middle::ty; -use rustc_session::lint::builtin::UNUSED_MACROS; +use rustc_session::lint::builtin::{SOFT_UNSTABLE, UNUSED_MACROS}; use rustc_session::parse::feature_err; use rustc_session::Session; use rustc_span::edition::Edition; @@ -459,22 +459,21 @@ impl<'a> Resolver<'a> { } // We are trying to avoid reporting this error if other related errors were reported. - if inner_attr + if res != Res::Err + && inner_attr && !self.session.features_untracked().custom_inner_attributes - && path != &sym::test - && res != Res::Err { - feature_err( - &self.session.parse_sess, - sym::custom_inner_attributes, - path.span, - match res { - Res::Def(..) => "inner macro attributes are unstable", - Res::NonMacroAttr(..) => "custom inner attributes are unstable", - _ => unreachable!(), - }, - ) - .emit(); + let msg = match res { + Res::Def(..) => "inner macro attributes are unstable", + Res::NonMacroAttr(..) => "custom inner attributes are unstable", + _ => unreachable!(), + }; + if path == &sym::test { + self.session.parse_sess.buffer_lint(SOFT_UNSTABLE, path.span, node_id, msg); + } else { + feature_err(&self.session.parse_sess, sym::custom_inner_attributes, path.span, msg) + .emit(); + } } Ok((ext, res)) diff --git a/library/std/src/num/tests.rs b/library/std/src/num/tests.rs index 2f50b73f4907f..df0df3f23f756 100644 --- a/library/std/src/num/tests.rs +++ b/library/std/src/num/tests.rs @@ -75,8 +75,8 @@ fn test_checked_mul() { macro_rules! test_is_power_of_two { ($test_name:ident, $T:ident) => { + #[test] fn $test_name() { - #![test] assert_eq!((0 as $T).is_power_of_two(), false); assert_eq!((1 as $T).is_power_of_two(), true); assert_eq!((2 as $T).is_power_of_two(), true); @@ -96,8 +96,8 @@ test_is_power_of_two! { test_is_power_of_two_uint, usize } macro_rules! test_next_power_of_two { ($test_name:ident, $T:ident) => { + #[test] fn $test_name() { - #![test] assert_eq!((0 as $T).next_power_of_two(), 1); let mut next_power = 1; for i in 1 as $T..40 { @@ -118,8 +118,8 @@ test_next_power_of_two! { test_next_power_of_two_uint, usize } macro_rules! test_checked_next_power_of_two { ($test_name:ident, $T:ident) => { + #[test] fn $test_name() { - #![test] assert_eq!((0 as $T).checked_next_power_of_two(), Some(1)); let smax = $T::MAX >> 1; assert_eq!(smax.checked_next_power_of_two(), Some(smax + 1)); diff --git a/src/test/ui/feature-gate/issue-43106-gating-of-test.rs b/src/test/ui/feature-gate/issue-43106-gating-of-test.rs index d343746955f39..ee3fe712e36e5 100644 --- a/src/test/ui/feature-gate/issue-43106-gating-of-test.rs +++ b/src/test/ui/feature-gate/issue-43106-gating-of-test.rs @@ -1,5 +1,6 @@ // The non-crate level cases are in issue-43106-gating-of-builtin-attrs.rs. +#![allow(soft_unstable)] #![test = "4200"] //~^ ERROR cannot determine resolution for the attribute macro `test` diff --git a/src/test/ui/feature-gate/issue-43106-gating-of-test.stderr b/src/test/ui/feature-gate/issue-43106-gating-of-test.stderr index a7d3a1e16840e..335af5e7905f2 100644 --- a/src/test/ui/feature-gate/issue-43106-gating-of-test.stderr +++ b/src/test/ui/feature-gate/issue-43106-gating-of-test.stderr @@ -1,5 +1,5 @@ error: cannot determine resolution for the attribute macro `test` - --> $DIR/issue-43106-gating-of-test.rs:3:4 + --> $DIR/issue-43106-gating-of-test.rs:4:4 | LL | #![test = "4200"] | ^^^^ diff --git a/src/test/ui/issues/issue-28134.rs b/src/test/ui/issues/issue-28134.rs index fa692db4bf66c..1ed2d330b5123 100644 --- a/src/test/ui/issues/issue-28134.rs +++ b/src/test/ui/issues/issue-28134.rs @@ -1,3 +1,4 @@ // compile-flags: --test +#![allow(soft_unstable)] #![test] //~ ERROR cannot determine resolution for the attribute macro `test` diff --git a/src/test/ui/issues/issue-28134.stderr b/src/test/ui/issues/issue-28134.stderr index 5f8d27dd043b1..8ed4d015f3216 100644 --- a/src/test/ui/issues/issue-28134.stderr +++ b/src/test/ui/issues/issue-28134.stderr @@ -1,5 +1,5 @@ error: cannot determine resolution for the attribute macro `test` - --> $DIR/issue-28134.rs:3:4 + --> $DIR/issue-28134.rs:4:4 | LL | #![test] | ^^^^ diff --git a/src/test/ui/proc-macro/proc-macro-gates.rs b/src/test/ui/proc-macro/proc-macro-gates.rs index 4c72ecbfc03a8..e2cf4e7398756 100644 --- a/src/test/ui/proc-macro/proc-macro-gates.rs +++ b/src/test/ui/proc-macro/proc-macro-gates.rs @@ -45,4 +45,9 @@ fn attrs() { //~^ ERROR: custom attributes cannot be applied to expressions } +fn test_case() { + #![test] //~ ERROR inner macro attributes are unstable + //~| WARN this was previously accepted +} + fn main() {} diff --git a/src/test/ui/proc-macro/proc-macro-gates.stderr b/src/test/ui/proc-macro/proc-macro-gates.stderr index 33a808037eea5..118213a17d462 100644 --- a/src/test/ui/proc-macro/proc-macro-gates.stderr +++ b/src/test/ui/proc-macro/proc-macro-gates.stderr @@ -76,6 +76,16 @@ LL | let _x = #[identity_attr] println!(); = note: see issue #54727 for more information = help: add `#![feature(proc_macro_hygiene)]` to the crate attributes to enable -error: aborting due to 9 previous errors +error: inner macro attributes are unstable + --> $DIR/proc-macro-gates.rs:49:8 + | +LL | #![test] + | ^^^^ + | + = note: `#[deny(soft_unstable)]` on by default + = warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release! + = note: for more information, see issue #64266 + +error: aborting due to 10 previous errors For more information about this error, try `rustc --explain E0658`. From 5ed2d4233472a37b1754804257930d29b5cd7b4b Mon Sep 17 00:00:00 2001 From: Eduard-Mihai Burtescu Date: Fri, 20 Nov 2020 19:34:44 +0200 Subject: [PATCH 21/23] Direct RUSTC_LOG (tracing/log) output to stderr instead of stdout. --- compiler/rustc_driver/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/compiler/rustc_driver/src/lib.rs b/compiler/rustc_driver/src/lib.rs index c544761255534..e49e456792b0d 100644 --- a/compiler/rustc_driver/src/lib.rs +++ b/compiler/rustc_driver/src/lib.rs @@ -1286,6 +1286,7 @@ pub fn init_env_logger(env: &str) { } let filter = tracing_subscriber::EnvFilter::from_env(env); let layer = tracing_tree::HierarchicalLayer::default() + .with_writer(io::stderr) .with_indent_lines(true) .with_ansi(true) .with_targets(true) From f99410bb4bddb0d1c8d45c3cd26b554543a36b42 Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Fri, 20 Nov 2020 09:12:14 -0800 Subject: [PATCH 22/23] std: Update the backtrace crate submodule This commit updates the `library/backtrace` submodule which primarily pulls in support for split-debuginfo on macOS, avoiding the need for `dsymutil` to get run to get line numbers and filenames in backtraces. --- Cargo.lock | 26 ++++++++++---------------- library/backtrace | 2 +- library/std/Cargo.toml | 6 +++--- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3dba4f935e595..1a0eb7d0bd411 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2,9 +2,9 @@ # It is not intended for manual editing. [[package]] name = "addr2line" -version = "0.13.0" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072" +checksum = "7c0929d69e78dd9bf5408269919fcbcaeb2e35e5d43e5815517cdc6a8e11a423" dependencies = [ "compiler_builtins", "gimli", @@ -132,13 +132,13 @@ checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d" [[package]] name = "backtrace" -version = "0.3.53" +version = "0.3.55" dependencies = [ "addr2line", "cfg-if 1.0.0", "libc", "miniz_oxide", - "object 0.21.1", + "object", "rustc-demangle", ] @@ -1292,9 +1292,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.22.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724" +checksum = "f6503fe142514ca4799d4c26297c4248239fe8838d827db6bd6065c6ed29a6ce" dependencies = [ "compiler_builtins", "rustc-std-workspace-alloc", @@ -2181,21 +2181,15 @@ dependencies = [ [[package]] name = "object" -version = "0.20.0" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5" +checksum = "8d3b63360ec3cb337817c2dbd47ab4a0f170d285d8e5a2064600f3def1402397" dependencies = [ "compiler_builtins", "rustc-std-workspace-alloc", "rustc-std-workspace-core", ] -[[package]] -name = "object" -version = "0.21.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37fd5004feb2ce328a52b0b3d01dbf4ffff72583493900ed15f22d4111c51693" - [[package]] name = "once_cell" version = "1.4.1" @@ -4668,7 +4662,7 @@ dependencies = [ "hermit-abi", "libc", "miniz_oxide", - "object 0.20.0", + "object", "panic_abort", "panic_unwind", "profiler_builtins", @@ -5262,7 +5256,7 @@ dependencies = [ "chrono", "lazy_static", "matchers", - "parking_lot 0.9.0", + "parking_lot 0.11.0", "regex", "serde", "serde_json", diff --git a/library/backtrace b/library/backtrace index 8b8ea53b56f51..af078ecc0b069 160000 --- a/library/backtrace +++ b/library/backtrace @@ -1 +1 @@ -Subproject commit 8b8ea53b56f519dd7780defdd4254daaec892584 +Subproject commit af078ecc0b069ec594982f92d4c6c58af99efbb5 diff --git a/library/std/Cargo.toml b/library/std/Cargo.toml index ad9d1238370ec..71d00b5c08735 100644 --- a/library/std/Cargo.toml +++ b/library/std/Cargo.toml @@ -23,14 +23,14 @@ unwind = { path = "../unwind" } hashbrown = { version = "0.9.0", default-features = false, features = ['rustc-dep-of-std'] } # Dependencies of the `backtrace` crate -addr2line = { version = "0.13.0", optional = true, default-features = false } +addr2line = { version = "0.14.0", optional = true, default-features = false } rustc-demangle = { version = "0.1.18", features = ['rustc-dep-of-std'] } miniz_oxide = { version = "0.4.0", optional = true, default-features = false } [dependencies.object] -version = "0.20" +version = "0.22" optional = true default-features = false -features = ['read_core', 'elf', 'macho', 'pe'] +features = ['read_core', 'elf', 'macho', 'pe', 'unaligned', 'archive'] [dev-dependencies] rand = "0.7" From 0f61664bb1886aa5969fe804126c684259b18b2c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 21 Nov 2020 00:35:48 +0100 Subject: [PATCH 23/23] update miri --- src/tools/miri | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/miri b/src/tools/miri index c8f51fc5a772a..746ea5b141baf 160000 --- a/src/tools/miri +++ b/src/tools/miri @@ -1 +1 @@ -Subproject commit c8f51fc5a772a125f3b3ad7fe46609a4638ca509 +Subproject commit 746ea5b141baf1f86c2ad17753a37b135e0c1aa3